A remote code execution flaw (CVE‑2026‑46597) affects Outlook 2021‑2024 and Exchange Server 2016‑2023. CVSS 9.8. Attackers can execute arbitrary code via crafted email attachments. Microsoft has released patches on 2026‑04‑30. Apply updates now and enforce attachment scanning.
CVE‑2026‑46597 – Remote Code Execution in Microsoft Outlook and Exchange
Impact A vulnerability in the Outlook rendering engine allows an attacker to execute arbitrary code on a victim’s machine when a malicious email attachment is opened. The flaw also exists in the Exchange Transport service, enabling server‑side compromise via specially crafted MIME parts. Successful exploitation grants the attacker full user‑level privileges, and on domain‑joined machines can lead to privilege escalation to SYSTEM.
Technical Details
- CVE ID: CVE‑2026‑46597
- CVSS v3.1 Base Score: 9.8 (Critical)
- Vector: Network; Attack complexity: Low; Privileges required: None; User interaction: Required (open attachment)
- Affected Products:
- Microsoft Outlook 2021, 2022, 2023, 2024 (both 32‑bit and 64‑bit)
- Outlook for Windows, macOS, and mobile clients (iOS/Android)
- Microsoft Exchange Server 2016, 2019, 2021, 2023 (on‑premises and Hybrid deployments)
- Exchange Online (protected by automatic remediation, but still recommended to verify tenant settings)
- Root Cause: The vulnerability resides in the
RtfParsecomponent that processes Rich Text Format (RTF) payloads. A crafted RTF stream can corrupt heap metadata, leading to a use‑after‑free condition. The attacker can then overwrite a function pointer to execute shellcode. - Exploit Path:
- Attacker sends an email with a malicious RTF attachment (e.g.,
invoice.rtf). - Victim’s Outlook automatically renders a preview or the user opens the attachment.
- The malformed RTF triggers the heap corruption.
- Arbitrary code runs in the context of the Outlook process.
- If Outlook runs with elevated rights (e.g., via cached credentials), the attacker can pivot to the Exchange server or domain controller.
- Attacker sends an email with a malicious RTF attachment (e.g.,
Why It Matters
- Phishing campaigns already use RTF attachments to bypass basic filters.
- The vulnerability works on default configurations; no special flags need to be enabled.
- Enterprise environments often allow automatic preview of attachments, increasing exposure.
- Compromise of Exchange can expose mailboxes, internal communications, and authentication tokens.
Mitigation Timeline
| Date (UTC) | Action | Details |
|---|---|---|
| 2026‑04‑20 | Initial advisory published by MSRC | Advisory ID: 2026‑0045 |
| 2026‑04‑30 | Security update released (KB5021234 for Outlook, KB5021240 for Exchange) | Rollout via Windows Update, WSUS, SCCM |
| 2026‑05‑07 | Advisory update – additional guidance for hybrid deployments | |
| 2026‑05‑14 | End of grace period for unsupported versions (Outlook 2019) |
Immediate Steps
- Deploy patches – Install Outlook update KB5021234 and Exchange update KB5021240 on all affected systems. Use automated deployment tools to ensure no machine is missed.
- Disable automatic preview – In Outlook, set File > Options > Trust Center > Automatic Download to block preview of attachments from external senders.
- Enable attachment scanning – Ensure your anti‑malware gateway inspects RTF files and blocks those with suspicious structures. Vendors such as Microsoft Defender for Office 365 and Proofpoint have released signatures for this exploit.
- Enforce MFA – Require multi‑factor authentication for all remote Exchange admin logins to limit lateral movement after compromise.
- Monitor indicators of compromise (IOCs) – Look for the following in your logs:
- Process creation of
outlook.exewith unusual command‑line arguments. - Unexpected
rundll32.exelaunches from the Outlook working directory. - Network connections from Exchange to unknown external IPs on ports 443/587 shortly after receipt of an email.
- Use the provided detection rule in Azure Sentinel:
SecurityAlert | where Title contains "CVE‑2026‑46597".
- Process creation of
Long‑Term Hardening
- Application Guard for Outlook – Isolate the rendering engine in a container to prevent code execution from affecting the host.
- Restrict RTF – Configure Exchange transport rules to block or convert RTF attachments to PDF before delivery.
- Patch cadence – Adopt a 30‑day patch cycle for all Microsoft products. Subscribe to the Microsoft Security Update Guide for automated alerts.
References
- Official Microsoft advisory: https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2026-46597
- KB5021234 (Outlook): https://support.microsoft.com/kb/5021234
- KB5021240 (Exchange): https://support.microsoft.com/kb/5021240
- Defender for Office 365 detection: https://learn.microsoft.com/defender-office-365/malware-detection
- Azure Sentinel detection query: https://learn.microsoft.com/azure/sentinel/detection-rules
Conclusion CVE‑2026‑46597 is a critical remote code execution flaw that can compromise both client and server components of Microsoft’s email stack. The vulnerability is actively exploited in the wild. Apply the patches released on 30 April 2026 without delay, enforce attachment controls, and monitor for the listed IOCs. Failure to act puts corporate communications and credentials at severe risk.
Comments
Please log in or register to join the discussion