Microsoft Windows is facing a new major security risk. Named CVE-2025-21298, this issue is found in the Windows Object Linking and Embedding (OLE) feature, which allows documents and objects to be easily incorporated into different applications. However, this feature comes with a significant threat: just a quick look at an Outlook inbox or carelessly opening an email preview can lead to an open invitation for cyber intruders.
Exploiting the Vulnerability
Hackers can take advantage of the “use after free” flaw to seize control of the victim’s machine by sending a specifically designed email to the target. If the victim opens this email with a vulnerable version of Microsoft Outlook or views it through a preview pane, it can lead to remote code execution on their system.
Potential Consequences
The impact of such an attack can be severe, including data breaches, spying, or even total system encryption by ransomware. Multiple editions of Windows 10, Windows 11, and Windows Server are affected. The vulnerability has a CVSSv3 rating of 9.8 out of 10, marking it as “critical.” Yet, Microsoft claims that there have been no recorded exploitations of this vulnerability so far.
Recommended Actions for Users
Microsoft is currently deploying security updates to patch this vulnerability, and users are highly urged to apply these updates without delay. In the meantime, users should set their email view to plain text and, if on large LAN networks, limit NTLM traffic or turn it off entirely. By configuring Microsoft Outlook to display emails in plain text rather than rich text, users can prevent the display of additional content like images, animations, or unique fonts, which could be used to exploit the vulnerability.
Source:
Link
Leave a Reply