Vulnerability in Outlook allows hackers to potentially distribute malware via email

Microsoft Windows is now under threat from a new critical security vulnerability. Soberly named CVE-2025-21298, this vulnerability is located at the heart of the Windows Object Linking and Embedding (OLE) function, which enables documents and other objects to be seamlessly integrated into applications. But this function harbors a particular danger: a cursory glance at the Outlook inbox or the thoughtless opening of an email preview can be enough to open the digital door to uninvited guests.

Hackers can exploit the so-called "use after free" security gap to take control of the victim's computer "by sending a specially crafted email to a target. Successful exploitation would lead to remote code execution on the target system if the target opens this email using a vulnerable version of Microsoft Outlook or if their software is able to preview the email through a preview pane."

The consequences of such an attack can be devastating, ranging from data theft, espionage to the complete encryption of the system by ransomware.  Various versions of Windows 10, Windows 11 and Windows Server are affected. The vulnerability has a CVSSv3 score of 9.8 out of 10 and is thus "critical". On the other hand, Microsoft states that it has not observed any exploitation of the vulnerability to date.

Microsoft is already rolling out security patches in order to close the loophole: users are strongly recommended to install these updates as soon as possible. Until the updates are installed, users are advised to view emails as plain text and, in large LAN networks, restrict NTLM traffic or disable NTLM altogether. Configuring Microsoft Outlook to view emails in plain text format instead of a rich format prevents the display other types of content, such as photos, animations or specialized fonts through which the vulnerability can be exploited.