Researchers warn of critical Outlook flaw that executes malicious code in mail preview
Take action: If you needed a good reason to patch your Windows, how about being hacked by an email you didn't even open? Apply the January 2025 Patch now, don't delay.
Learn More
Reserchers warn of a critical security vulnerability in Windows Object Linking and Embedding (OLE) technology. An attacker could exploit this vulnerability by sending a specially crafted email to a target.
Successful exploitation would lead to remote code execution on the target system if the target opens this email using a vulnerable version of Microsoft Outlook or if their software is able to preview the email through a preview pane (without even opening the email).
The vulnerability is tracked as CVE-2025-21298 (CVSS score: 9.8) and affects Windows and Windows Server product lines. The vulnerability affects a core Windows technology (OLE) that has been integrated since the 1990s and is still extensively used in modern Windows systems.
The flaw is patched in the January 2025 Microsoft patch.
The German Federal Office for Information Security (BSI) decided raise the IT threat level to Level 2 (Yellow) because of this flaw. Users are advised to patch ASAP.
