Microsoft Windows is now threatened by a new critical security vulnerability. Soberly named CVE-2025-21298, this vulnerability lies at the heart of the Windows Object Linking and Embedding (OLE) function, which allows documents and other objects to be seamlessly integrated into applications. But there’s a particular danger to this feature: A quick glance at Outlook’s inbox or a thoughtless opening of an email preview can be enough to open the digital door to unsolicited guests.
Hackers can exploit the so-called “use after free” security flaw to take control of the victim’s computer “by sending a specially crafted email to a target.” A successful exploit would lead to remote code execution on the target system if the target opens this email using a vulnerable version of Microsoft Outlook or if its software is capable of previewing the email through a preview pane.
The consequences of such an attack can be devastating, ranging from data theft, espionage to complete system encryption with ransomware. Different versions of Windows 10, Windows 11 and Windows Server are affected. The vulnerability has a CVSSv3 score of 9.8 out of 10 and is therefore “critical”. On the other hand, Microsoft states that it has not observed any exploitation of the vulnerability to date.
Microsoft is already rolling out security patches to close the flaw: users are strongly recommended to install these updates as soon as possible. Until updates are installed, users are advised to view emails in plain text and, in large local networks, restrict NTLM traffic or disable NTLM altogether. Configuring Microsoft Outlook to display emails in plain text rather than rich format prevents the display of other types of content, such as photos, animations or specialized fonts, through which the vulnerability can be exploited.
Tech
Related News :