On January 14th, 2025, Microsoft released a crucial update addressing a newly discovered Microsoft Outlook remote code execution (RCE) vulnerability. This issue, identified as CVE-2025-21357, builds on ongoing research into Microsoft Outlook vulnerabilities, particularly within the realm of form injection. Our team’s prior work on vulnerabilities like CVE-2024-30103 has highlighted significant risks, and this discovery is no exception.
Vulnerability Overview
CVE-2025-21357 represents a pointer dereferencing within Microsoft Outlook caused due to uninitialized pointer issue that involves form injection technique. While the exploitation path is more complex than previous vulnerabilities (requiring persistent control flow hijack and user mailbox credentials to execute remote code on devices with Microsoft Outlook installed), it nonetheless presents a serious risk to unpatched systems.
Initial assessments indicate that the probability of successful exploitation is lower due to these added complexities; however, the potential impact remains severe.
Collaboration with Microsoft
Microsoft has been highly responsive in addressing these issues. The vulnerability was reported on October 14th, 2024, and patched on January 14th, 2025—a three-month turnaround time. This reflects Microsoft’s commitment to maintaining the security of their products and protecting their user base. Our coordinated disclosure ensured that this vulnerability was communicated effectively, and the released patch directly mitigates the risk.
CVE-2025-21357 Technical Insights
The vulnerability leverages an overflow condition triggered through specially crafted form, ultimately exploiting a pointer dereference issue. While this follows the pattern of form injection attacks, it introduces a distinct challenge for exploitation.
Attackers must carefully manipulate specific data structures and possess user mailbox credentials to achieve arbitrary code execution on any Microsoft Outlook client device.
Key Points for Administrators:
- Patch Deployment: Ensure all systems running Microsoft Outlook are updated with the latest patches released on January 14th, 2025.
- Defense-in-Depth: Implement layered security measures, including network segmentation and endpoint monitoring, to reduce the risk of exploitation.
- Morphisec AMTD Protection: Organizations using Morphisec’s Automated Moving Target Defense (AMTD) are already protected against the exploitation of this vulnerability without the need to patch.
Timeline for Technical Disclosure
To allow organizations ample time to apply updates, we will delay the release of detailed technical insights into CVE-2025-21357 for at least one month. This grace period is intended to prioritize the protection of systems over immediate public disclosure of exploit details.
For additional background on similar vulnerabilities, see our coverage of CVE-2024-38173 and CVE-2024-30103.
On-Demand Outlook RCE Webinar
The Morphisec Threat Labs team presented their technical findings about recently patched RCE Microsoft Outlook vulnerabilities CVE-2024-30103 and CVE-2024-38021 on the main stage at DEF CON 32. If you weren’t able to attend in person, watch the on-demand webinar to gain insights and hear directly from those that discovered the vulnerabilities. Watch now.
Moving Forward
This discovery of CVE-2025-21357 underscores the importance of ongoing vigilance in securing email clients and other high-value attack surfaces. We commend Microsoft for their proactive engagement and encourage organizations to prioritize applying this important update. For those leveraging Morphisec AMTD, the added layer of protection ensures peace of mind even in the face of emerging threats.
Stay tuned for more in-depth technical analysis and mitigation strategies in the coming weeks.
Stay up-to-date
Get the latest resources, news, and threat research delivered to your inbox.
