Outlook Zero-Click Security Flaw Patched by Microsoft (CVE-2025-21298)

In its latest Patch Tuesday release, Microsoft has rolled out a crucial fix for a high-risk vulnerability identified as CVE-2025-21298.

This security flaw, which carries a near-maximum CVSS severity rating of 9.8, could let attackers remotely execute malicious code on Windows systems simply by sending a specially designed email. The issue, which directly impacts Microsoft Outlook, poses a serious threat to email security and requires immediate action.

How Attackers Exploit the Flaw

The root of the problem lies within Windows Object Linking and Embedding (OLE), a feature that allows users to link and embed content across applications. According to Microsoft, attackers could exploit this weakness by crafting an email designed to trigger the vulnerability when it is either opened or even just previewed in Outlook. This low-effort, high-impact attack method makes the vulnerability especially concerning.

Once a targeted user receives the malicious email, simply viewing it—without the need for any additional interaction—can activate the embedded OLE object, allowing attackers to take control of the system. Given the ease of exploitation, users are strongly urged to apply the latest patches to safeguard their systems from potential threats.

The critical CVE-2025-21298 vulnerability was uncovered by security researchers Jmini, Rotiple, and D4m0n, working with Trend Micro’s Zero Day Initiative. Their discovery is a wake-up call that cyber threats are always changing, and staying on top of them is more important than ever.

Reducing the Risk While You Patch

For those who can't immediately install the patch, Microsoft has suggested a few practical steps to reduce the risk of exploitation:

• Read Emails in Plain Text: Switching Outlook to plain text mode can prevent malicious OLE objects from being triggered. However, this workaround may affect how emails appear, stripping out images and special formatting. Microsoft provides a step-by-step guide on enabling plain text mode for those who need it.

• Be Cautious with RTF Attachments: Rich Text Format (RTF) emails and attachments from unfamiliar sources should be treated with caution, as they could contain hidden threats. Avoid opening them unless they're from a trusted sender.

• Limit User Permissions: Applying the principle of least privilege ensures that even if an exploit occurs, the damage can be minimised by restricting unnecessary user access to critical systems.

Applying Microsoft's patch for CVE-2025-21298 is the most effective way to stay protected, but for those who need more time, the recommended workarounds can help minimise the immediate risks.