Critical Remote Code Execution in Microsoft Outlook (CVE‑2026‑42507) – Immediate Mitigation Required

Immediate Impact

A remote code execution (RCE) flaw has been disclosed in Microsoft Outlook. The vulnerability, tracked as CVE‑2026‑42507, allows an unauthenticated attacker to execute arbitrary code on a victim’s machine simply by sending a specially crafted email. The CVSS v3.1 base score is 9.8 (Critical). Successful exploitation gives the attacker full user‑level privileges, enabling data theft, credential dumping, and lateral movement within the network.

Affected Products and Versions

Product	Versions Affected
Outlook for Windows (desktop)	16.0.20000 – 16.0.20078
Outlook for macOS	16.0.20000 – 16.0.20078
Outlook for iOS/Android	4.2200 – 4.2300
Outlook on the web (OWA)	All versions prior to 2026‑05‑03 patch

The flaw resides in the Message Rendering Engine that parses MIME parts. A crafted HTML or RTF payload can trigger a memory corruption in the EwsAttachmentParser component, leading to code execution.

Technical Details

1. Trigger Vector – The attacker sends an email containing a malicious MIME boundary that includes a malformed Content-Type header. Outlook’s parser fails to validate the length of the header, causing a stack‑based buffer overflow.
2. Payload Delivery – The overflow overwrites the return address on the stack with a pointer to attacker‑controlled shellcode embedded in the email body. The shellcode is executed with the privileges of the logged‑in user.
3. Persistence – Once executed, the payload can drop a second‑stage loader that registers a scheduled task, ensuring persistence across reboots.
4. Network Reach – The vulnerability works over any transport that delivers email to Outlook – Exchange, POP3, IMAP, or direct SMTP. No user interaction beyond opening the message is required.

Microsoft’s internal analysis confirms the bug is not mitigated by existing DEP or ASLR protections due to the nature of the overflow.

Mitigation Steps

1. Apply the Security Update – Microsoft released patches on 3 May 2026 (KB5027226 for Windows, KB5027230 for macOS, and version 4.2301 for mobile). Deploy the update via Windows Update, Microsoft Endpoint Manager, or WSUS.
2. Enable Safe Attachments – In Exchange Online, turn on Safe Attachments scanning. This blocks malicious payloads before they reach the client.
3. Restrict HTML Rendering – Configure Outlook to display emails in plain‑text mode for high‑risk users. This reduces the attack surface by disabling the vulnerable rendering path.
4. Apply Application Guard – For Windows, enable Outlook Application Guard to isolate the rendering engine in a container.
5. Network Controls – Block inbound SMTP traffic from untrusted sources at the perimeter. Use DMARC/DKIM to verify sender authenticity.
6. Monitor Indicators of Compromise (IoCs) – Look for the following in logs:
   • Unexpected cmd.exe or powershell.exe launches from OUTLOOK.EXE.
   • Creation of scheduled tasks named OutlookUpdater*.
   • New registry keys under HKCU\Software\Microsoft\Office\Outlook\Security.

Timeline

• 12 Apr 2026 – Vulnerability discovered by Microsoft Security Response Center (MSRC) during internal testing.
• 15 Apr 2026 – Private disclosure to affected customers under the MSRC Customer Guidance program.
• 28 Apr 2026 – Public advisory published on the Microsoft Security Update Guide.
• 03 May 2026 – Security updates released for all affected platforms.
• 10 May 2026 – CISA adds CVE‑2026‑42507 to the Known Exploited Vulnerabilities (KEV) Catalog.

What to Do Now

1. Verify that the latest Outlook updates are installed on every endpoint.
2. Enforce safe attachment policies in Exchange Online.
3. Conduct a rapid scan for the IoCs listed above using your SIEM.
4. If any unpatched systems remain, isolate them from the network until they can be updated.
5. Review user training material to remind staff not to open unexpected email attachments, even from trusted contacts.

References

• Official Microsoft advisory: https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2026-42507
• CISA KEV entry: https://www.cisa.gov/known-exploited-vulnerabilities-cve-2026-42507
• Outlook security documentation: https://learn.microsoft.com/en-us/outlook/security
• Safe Attachments guide: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attachment-scan

Take action now. The window for exploitation is already open. Apply patches, enable protective controls, and monitor for signs of compromise.