Microsoft has patched a critical remote code execution (RCE)vulnerability in Outlook that could allow attackers to execute malicious code on vulnerable systems.
The flaw, tracked as CVE-2025-62562, was released on December 9, 2025, and requires immediate attention from IT administrators and end users.
The vulnerability stems from a use-after-free weakness in Microsoft Office Outlook. According to Microsoft’s vulnerability classification, this flaw is rated Important (CVSS score: 7.8).
The attack vector is local, meaning an attacker must convince a user to interact with a malicious email to trigger the exploit.
Specifically, an attacker sends a crafted email that tricks the user into replying, thereby triggering the code-execution chain.
Microsoft Outlook Vulnerability
Unlike typical remote code execution vulnerabilities, this flaw requires local interaction on the victim’s machine.
The Preview Pane is not an attack vector for this particular vulnerability. An attacker needs a user to manually reply to a specially crafted email to exploit the weakness.
This interaction requirement adds a layer of difficulty. However, it remains a practical threat in real-world scenarios where social engineering techniques could convince users to respond.
The vulnerability affects multiple Microsoft Office versions, including Microsoft Word 2016 (both 32-bit and 64-bit).
| Product | Versions Affected | Update Status |
|---|---|---|
| Microsoft Word 2016 | 32-bit & 64-bit | Available (KB5002806) |
| Microsoft Office LTSC 2024 | 32-bit & 64-bit | Available |
| Microsoft Office LTSC 2021 | 32-bit & 64-bit | Available |
| Microsoft Office 2019 | 32-bit & 64-bit | Available |
| Microsoft 365 Apps for Enterprise | 32-bit & 64-bit | Available |
| Microsoft SharePoint Server 2019 | All editions | Available |
| Microsoft SharePoint Enterprise Server 2016 | All editions | Available |
| Microsoft Office LTSC for Mac 2024 | Mac | Not yet available |
| Microsoft Office LTSC for Mac 2021 | Mac | Not yet available |
Microsoft Office LTSC editions from 2019 through 2024, Microsoft 365 Apps for Enterprise, Microsoft Office 2019, and Microsoft SharePoint Server products.
Security updates are available for most affected versions, with build number 16.0.5530.1000 for Word 2016.
Microsoft has confirmed that security patches are available through Windows Update and the Microsoft Download Center.
However, updates for Microsoft Office LTSC for Mac 2021 and 2024 are not immediately available. They will be released as soon as possible.
Microsoft says organizations should prioritize installing the available security updates on all affected Microsoft Office versions
Administrators managing multiple systems should deploy patches across 32-bit and 64-bit editions in accordance with their deployment standards.
For systems without immediate patch availability, Microsoft recommends exercising caution with unsolicited emails and avoiding replying to suspicious messages.
The security community recognizes Haifei Li from EXPMON for discovering and reporting this vulnerability through coordinated disclosure. As of publication, there is no evidence of active exploitation or public disclosure of exploit code.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
