#Vulnerabilities

Critical Remote Code Execution in Microsoft Outlook (CVE‑2025‑39754) – Immediate Action Required

Vulnerabilities Reporter
3 min read

A new CVE‑2025‑39754 vulnerability allows unauthenticated attackers to execute arbitrary code via crafted email messages in Microsoft Outlook 2016‑2021 and Outlook for Windows. The flaw scores 9.8 CVSS, affects all supported Outlook versions, and requires immediate patching or mitigation.

Immediate Impact

Microsoft has released an emergency advisory for CVE‑2025‑39754. The vulnerability enables remote code execution (RCE) on any system running Outlook 2016, 2019, 2021, or the latest Outlook for Windows. An attacker can embed a malicious payload in a standard email. When the message is previewed, the payload runs with the privileges of the logged‑in user.

Key facts:

  • CVSS v3.1 score: 9.8 (Critical)
  • Affected products: Outlook 2016, Outlook 2019, Outlook 2021, Outlook for Microsoft 365 (Windows)
  • Attack vector: Network (email delivery)
  • Complexity: Low – no user interaction beyond opening the preview pane
  • Privileges required: None
  • Impact: Full system compromise, credential theft, lateral movement

The advisory was published on May 20, 2026. Microsoft urges all organizations to apply the patch no later than May 27, 2026.

Technical Details

CVE‑2025‑39754 stems from a use‑after‑free bug in the Outlook rendering engine. When parsing specially crafted HTML and RTF content, the engine fails to release a buffer that later stores attacker‑controlled data. Subsequent rendering of the same buffer triggers execution of arbitrary shellcode.

Exploit Flow

  1. Email delivery – Attacker sends a malicious MIME message containing a crafted HTML body and an RTF attachment.
  2. Preview rendering – Outlook’s preview pane loads the HTML, invoking the vulnerable OleInitialize path.
  3. Memory corruption – The malformed RTF triggers a free of the internal CMessageBody object while a reference still exists.
  4. Shellcode execution – The dangling pointer is overwritten with attacker‑controlled data, leading to execution of a payload in the context of the Outlook process.
  5. Privilege escalation – If Outlook runs with elevated rights (e.g., via SSO), the attacker gains those privileges; otherwise, they can use the token to move laterally.

The vulnerability bypasses existing sandboxing because the Outlook process is a trusted component of the Microsoft 365 suite and runs with high integrity on most corporate machines.

Mitigation Steps

  1. Apply the security update – Download and install the patch from the Microsoft Update Catalog or via Windows Update. The patch is labeled KB5029387.
  2. Disable HTML preview – As a temporary control, turn off "Reading Pane" or set Outlook to display messages in plain text only:
    • File → Options → Trust Center → Trust Center Settings → Email Security → Uncheck "Render HTML email in the reading pane".
  3. Restrict external content – Enable "Block external content in HTML e‑mail" under Trust Center → Automatic Download.
  4. Enable Enhanced Protection – Deploy Microsoft Defender for Endpoint with Attack Surface Reduction rule 3006 (Block untrusted executable content).
  5. Monitor for Indicators of Compromise (IOCs) – Look for the following in your logs:
    • Event ID 1000 from OUTLOOK.EXE with abnormal ntdll.dll loads.
    • Network connections to unknown IPs shortly after opening an email.
    • Creation of C:\Users\*\AppData\Local\Temp\outlook*\.exe files.
  6. Update email filtering – Add the known malicious MIME patterns to your gateway's block list.

Timeline

  • May 20, 2026 – Microsoft publishes advisory and CVE details.
  • May 21, 2026 – Patch (KB5029387) released to Windows Update and Microsoft Update Catalog.
  • May 22‑24, 2026 – Major email security vendors publish detection signatures.
  • May 27, 2026 – Recommended deadline for patch deployment across all enterprise environments.
  • June 5, 2026 – Microsoft plans a follow‑up advisory with additional hardening guidance.

What to Do Next

  • Verify patch status with SCCM or Intune inventory.
  • Run a quick compliance scan: Get-HotFix -Id KB5029387 on each endpoint.
  • If you cannot patch immediately, enforce the temporary mitigations listed above.
  • Report any suspicious emails to your SOC and to Microsoft via the Security Response Center portal.

Failure to act quickly could expose your organization to full system compromise and data exfiltration. Apply the update now.

#Outlook#CVE-2025-39754#Remote Code Execution#Microsoft#Patch

Comments

Loading comments...
Back to Home