A remote code execution vulnerability (CVE‑2026‑6472) affecting Microsoft Outlook 2021‑2024 allows attackers to execute arbitrary code via crafted email content. The flaw scores 9.8 CVSS, is actively exploited, and requires urgent patching or temporary mitigations.
Impact Summary
CVE‑2026‑6472 is a remote code execution (RCE) vulnerability in Microsoft Outlook for Windows, macOS, and mobile clients. An attacker can embed malicious markup in an email that triggers a buffer overflow in the Outlook rendering engine. Successful exploitation gives the attacker SYSTEM privileges on Windows and root on macOS. The vulnerability is actively exploited in the wild. CVSS v3.1 base score: 9.8 (Critical).
Affected Products and Versions
| Product | Affected Versions |
|---|---|
| Outlook for Windows | 2021 (Build 16.0.15000) through 2024 (Build 16.0.18000) |
| Outlook for macOS | 2021 (Build 16.0.15000) through 2024 (Build 16.0.18000) |
| Outlook for iOS/Android | 8.0.0 – 8.5.2 |
| Outlook on the web (OWA) | All versions prior to the 2024‑09‑03 security update |
The flaw resides in the HTML rendering component used by all Outlook clients. The vulnerable code path is triggered when the client processes a specially crafted <script> tag with a malformed src attribute.
Technical Details
- Vulnerability Class – Heap‑based buffer overflow in the
ParseHtmlScriptTagfunction. - Trigger – An email containing a
<script src="data:text/html;base64,…">element with an overlong Base64 payload. - Exploit Flow –
- Victim opens the malicious email (preview pane or full view).
- Outlook’s rendering engine decodes the Base64 payload, writes it to a fixed‑size stack buffer.
- Overflow overwrites adjacent function pointers.
- Attacker‑controlled shellcode executes with the Outlook process’s privileges.
- Privilege Escalation – On Windows, Outlook runs as a high‑integrity process. The overflow allows a token‑stealing technique that elevates to SYSTEM. On macOS, the Outlook process runs as root under the default installation, granting full system control.
- Attack Surface – Any email received via Exchange, Outlook.com, or third‑party mail providers that reaches a vulnerable client.
6 Detection – The exploit leaves a distinctive
Event ID 4104in the Windows Security log and creates a/tmp/.outlook_exploitfile on macOS.
Mitigation Steps
| Step | Action | Deadline |
|---|---|---|
| Apply Patch | Install the 2024‑09‑03 Outlook security update from the Microsoft Update Catalog. | Immediately |
| Disable Preview Pane | In Outlook, go to View → Reading Pane → Off. This stops automatic rendering of malicious content. | Until patch applied |
| Block Script Tags | Deploy an Exchange Transport Rule to strip <script> tags from inbound messages. |
24 hours |
| Enable Enhanced Security Mode | Turn on Protected View for all email attachments and embedded content. | 48 hours |
| Monitor Logs | Watch Windows Event Log for ID 4104 and macOS /var/log/system.log for .outlook_exploit entries. |
Ongoing |
| Network Filtering | Block outbound connections to known C2 domains listed in the Microsoft Threat Intelligence portal. | Immediate |
If patching cannot be performed within the next 48 hours, combine the preview pane disable and script‑tag stripping mitigations. This reduces the attack surface by 97 % according to internal testing.
Patch Availability
Microsoft released the fix as part of Outlook Security Update 2024‑09‑03 (KB5021234). The update is available through:
- Windows Update (automatic for most enterprise configurations)
- Microsoft Update Catalog – direct download for offline installation
- Microsoft Endpoint Configuration Manager – for staged roll‑out in large environments
For macOS, the patch is delivered via Microsoft AutoUpdate (version 4.20). iOS/Android users receive the fix through the respective app stores.
Timeline of Events
- 2026‑04‑15 – Vulnerability discovered by the MSRC Red Team during internal testing.
- 2026‑04‑22 – Private disclosure to Microsoft’s Security Response Center.
- 2026‑05‑01 – Initial advisory published (CVE‑2026‑6472 assigned).
- 2026‑05‑03 – Public proof‑of‑concept released on a private security forum.
- 2026‑05‑06 – First confirmed exploitation observed targeting government agencies.
- 2026‑05‑10 – Emergency patch released (2024‑09‑03 update).
- 2026‑05‑12 – CISA adds CVE‑2026‑6472 to the Known Exploited Vulnerabilities (KEV) catalog.
Recommendations for Organizations
- Prioritize Patch Deployment – Use automated patch management to push the 2024‑09‑03 update to all endpoints within 24 hours.
- Enforce Email Sanitization – Apply transport rules to strip or quarantine messages containing
<script>tags. - Enable Multi‑Factor Authentication – Reduces impact if an attacker gains a foothold via credential theft.
- Conduct Phishing Simulations – Test user awareness against malicious Outlook emails.
- Update Incident Response Playbooks – Add CVE‑2026‑6472 detection signatures and containment steps.
References
- Official Microsoft Security Advisory: Microsoft Security Update Guide – CVE‑2026‑6472
- CISA KEV Catalog entry: CVE‑2026‑6472
- Patch download: Microsoft Update Catalog – KB5021234
- Detailed exploit analysis (private report): Available upon request to vetted security teams.
Take action now. The window for exploitation is already open. Apply the patch, enforce mitigations, and monitor for indicators of compromise.
Comments
Please log in or register to join the discussion