Microsoft has confirmed that three zero-day vulnerabilities impacting Windows users are already being exploited, and news of a new Microsoft 365 high-speed password attack breaking, Outlook users might have felt left out. But no more, as Microsoft has also confirmed that an “exploitation more likely’ critical vulnerability rating a massive 9.8 out of 10 on the Common Vulnerabilities and Exposures scale needs patching as a matter of some urgency. Here’s what you need to know.
The Microsoft Outlook CVE-2025-21298 Vulnerability Explained
The monthly rollout of security vulnerability confirmations and updates that is Patch Tuesday always brings one or two surprises along for the ride. This month, the surprise has undoubtedly been the three actively exploited zero-day vulnerabilities impacting Windows Hyper V users. With a total of 156 other vulnerabilities also listed by Microsoft, the danger is that others of equal importance could get obfuscated by the attention to the zero-day headline-grabbing CVEs. But it takes a lot to get past me and my cohort of friendly and knowledgeable security experts, which brings me nicely to CVE-2025-21298.
This 9.8 rated, critical Windows object linking and embedding mechanism remote code execution Outlook vulnerability, can be triggered by a malicious rich text format document. These documents, typically opened in Office applications like Microsoft Word, are “often sent as attachments or as links through phishing campaigns with attractive names as lures to convince users to open them,” Kev Breen, senior director of threat research at Immersive Labs, said. As such, Breen warned, it should be “high on the list to patch sooner rather than later.”
CVE-2025-21298 is being referred to as a remote network attack, but the actual vector is via email and not a service listening on the network. “The Microsoft Outlook preview pane is a valid attack vector,” Tyler Reguly, associate director of security research and development at Fortra, said, “which lends itself to calling this a remote attack.”
Mitigating The Microsoft Outlook Attack Risk
Mike Walters, president and co-founder of Action1, warned that CVE-2025-21298 “poses a significant threat to organizations, potentially leading to full system compromise.” The vulnerability, if successfully exploited, could lead to the execution of arbitrary code to take full control of the system, the installation of malicious software, modification or deletion of data and access to sensitive information, Walters said. Walters also said that it could be carried out over a network and requires only low complexity for an attack to succeed, “organizations and individuals using Windows systems and applications that process OLE objects, particularly email clients like Microsoft Outlook, should immediately patch the vulnerability,” Walters concluded.
A Microsoft spokesperson said: “We have released an update and customers who have installed it are already protected.”
For organizations that are not able to patch immediately, Breen recommended that the workaround provided by Microsoft to only open RTF files from unknown sources in Outlook using a plain text format should be followed.
