January 18, 2025, 9:37 am | Read time: 3 minutes
On the occasion of the January Patchday, Microsoft has once again addressed many errors and problem areas. One security vulnerability in Outlook is particularly critical.
In everyday life, consumers hardly notice, but the provision of internet services is like a constant arms race between companies that want to ensure the security of their products and customers and cybercriminals. As a result, new problems are constantly arising that manufacturers have to solve. Microsoft is no exception and has made improvements in several areas for the January patch day. One security vulnerability in Outlook stands out.
Vulnerability in Outlook Classified as Critical
The core issue is the security vulnerability in Outlook, which is designated as CVE-2025-21298. As Microsoft itself writes, this has received a CVSS base score of 9.8 and is therefore considered particularly serious. The CVSS is a standard for classifying the severity of security vulnerabilities. Specifically, it concerns OLE technology (Object Linking and Embedding). This enables embedding and linking with documents and other objects.
The manufacturer mentions remote code execution as a possible effect of the security gap in Outlook. For this, the perpetrators prepare emails with malicious code and send them. The victim does not even have to actively open the message to inject the malicious software. In fact, a preview in the Outlook program is said to be enough to trigger the dangerous process.
Microsoft classifies the complexity of the attack as low. This means that it is comparatively easy to exploit the corresponding vulnerability in Outlook – at least not many prerequisites are necessary.
Install Without Fail! Important Update Available for Several Samsung Smartphones
Risk potential "high" Security vulnerabilities discovered in popular free password managers
Apple iOS 18.4 Will Be the Biggest iPhone Update in a Long Time
Be Sure to Install Patches
According to the Zero Day Initiative, there is an error in the analysis of RTF files that makes the security risk possible in the first place. This means that usage data is not validated correctly. This could, in turn, lead to memory corruption. All previous versions of Windows 10 and 11 as well as Windows Server 2008 (R2), 2012, 2016, 2019, 2022, and 2025 are affected.
Nevertheless, Microsoft is not currently aware of any cases of CVE-2025-21298 being exploited. Nevertheless, those responsible believe it is likely that this could still happen. The company has already provided patches that users should install quickly. As an alternative workaround, Microsoft also mentions the option of reading emails in “text-only” format. This is because the messages do not contain any images, special fonts, animations, or other rich text content, which are responsible for the security vulnerability in Outlook in the first place.
According to the Zero Day Initiative, Microsoft has its hands full with keeping its own systems secure: This month alone, they have published and worked on 161 different vulnerabilities of varying severity.