CELS Virtual Helpdesk

CELS Shared Services Systems Group

Documentation Search

Most Recent Dispatch

Site search

[Urgent Action Required] Apply Microsoft Outlook Critical Update

by Avarca, Anthony

Below is a message from our Cyber Security Program Office. What it boils down to: Apply the latest updates to Microsoft Outlook.

For individuals who do not have a local administrator account on computers running Microsoft Outlook, the CELS IT group will begin updating machines starting on Monday, January 27.

For co-managed machines, please update your Microsoft Outlook application. Starting on Tuesday, January 28, the CELS Service Desk team will contact individuals running the vulnerable Microsoft Outlook installation.

Message from CSPO:

A recent vulnerability (CVE-2025-21298) has been classified as a critical zero-click remote code execution (RCE) flaw in Microsoft Outlook, meaning it can be exploited without any user interaction upon delivery of specially crafted e-mails, posing a significant risk to our systems and data. While LMS-PROC-373 already states that critical vulnerabilities must be addressed within 15 days of discovery, Cyber is asking for increased prioritization and prompt deployment of relevant updates due to the widespread use of Outlook and the ease of exploitation. Aligning with LMS-PROC-373, we request that these patches be fully deployed no later than Friday January 31st. If you have any questions or require further assistance, do not hesitate to reach out.

Thank you for your attention to this critical matter. We’ve included additional information on the vulnerability below.

Summary of CVE-2025-21298:

  • CVSS Score:8 (Critical)
  • VPR Score:9 (Critical)
  • Vulnerability Type:Zero-Click Remote Code Execution (RCE)
  • Affected Software:Microsoft Outlook
  • Impact:Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system, potentially leading to unauthorized access, data exfiltration, or further compromise of the network.
  • Attack Vector:The vulnerability can be triggered by sending a specially crafted email to the target user. The user does not need to open or interact with the email for the exploit to be executed.

Recommended Actions:

  • Patch Deployment:Microsoft has released a security update addressing this vulnerability which is included in the security and/or cumulative rollup for January.
  • Disable RTF Previews:For those unable to patch immediately, disabling Rich-Text Format (RTF) previews in Outlook is suggested as a temporary measure.

 

For more information, please refer to the following resources: