A newly identified security vulnerability in Microsoft Windows, designated CVE-2025-21298, poses a significant threat to users by allowing attackers to deploy malware through email.
The flaw, located in the Object Linking and Embedding (OLE) function of Windows, enables hackers to execute remote code simply by having users preview an email in Microsoft Outlook. Microsoft has released security updates to mitigate the issue and urges users to install them immediately.
The vulnerability, described as a “use after free” exploit, can be triggered when a specially crafted email is opened or previewed using a vulnerable version of Outlook. Once exploited, attackers could gain full control over the victim’s system. This could lead to serious consequences, including data theft, system espionage, or ransomware encryption.
Affected systems include multiple versions of Windows 10, Windows 11, and Windows Server. With a CVSSv3 severity score of 9.8 out of 10, the vulnerability is classified as critical.
While Microsoft has stated that no active exploitation of this flaw has been observed, it has started rolling out security patches to address the issue. Users are strongly encouraged to update their systems without delay.
In the interim, Microsoft recommends configuring Outlook to display emails as plain text, which disables potentially harmful content such as images, animations, and custom fonts. For enterprise networks, restricting or disabling NTLM traffic can further reduce the risk of exploitation.
