Outlook RCE Vulnerability Allows Attackers to Execute Arbitrary Code

Microsoft addressed a significant security flaw in its Outlook email client during the May 2025 Patch Tuesday, releasing fixes for 72 vulnerabilities across its ecosystem. 

Among these, CVE-2025-32705-a remote code execution (RCE) vulnerability in Microsoft Outlook has drawn attention due to its potential for local code execution via an out-of-bounds read weakness.

Outlook Out-of-Bounds Read Flaw (CVE-2025-32705)

The vulnerability, rated Important with a CVSSv3 score of 7.8, stems from improper memory handling in Outlook. 

An attacker could exploit CVE-2025-32705 by sending a specially crafted file to the target user via email or other means. 

Once the user opens the malicious file in an affected version of Microsoft Outlook, the out-of-bounds read error can be triggered, allowing the attacker to execute arbitrary code on the local system. 

This could lead to complete system compromise, data theft, or further malware deployment.

Notably, the Outlook Preview Pane is not an attack vector for this vulnerability, so simply previewing an email will not trigger the exploit. The user must actively open the malicious file for the attack to succeed.

Microsoft credited Haifei Li from EXPMON for discovering the vulnerability and recognized the broader security community’s role in coordinated vulnerability disclosure.

Risk Factors	Details
Affected Products	Microsoft Office LTSC 2021 (32/64-bit), LTSC 2024 (32/64-bit), Microsoft 365 Apps (32/64-bit)
Impact	Remote Code Execution (Arbitrary code execution via local attack vector)
Exploit Prerequisites	User must open a specially crafted malicious file in Microsoft Outlook
CVSS 3.1 Score	7.8 (Important)

Microsoft assigned itself as the CNA (CVE Numbering Authority) for this vulnerability and promptly released security updates as part of the May 2025 Patch Tuesday. 

The updates cover multiple editions of Microsoft Office LTSC 2021 and 2024, as well as Microsoft 365 Apps for Enterprise, for both 32-bit and 64-bit systems.

The affected products and update links include:

• Microsoft Office LTSC 2024 (32-bit and 64-bit).
• Microsoft Office LTSC 2021 (32-bit and 64-bit).
• Microsoft 365 Apps for Enterprise (32-bit and 64-bit).

All updates are classified as Important and address Remote Code Execution vulnerabilities. Users and organizations are strongly urged to apply these patches immediately to mitigate potential exploitation risks.

Mitigations

• Apply Security Updates Immediately: Deploy the official patches from Microsoft’s security update portal to all affected Outlook installations.
• Exercise Caution with Email Attachments: Users should avoid opening unexpected or suspicious files, even from known contacts.
• Maintain Endpoint Security: Use updated antivirus and endpoint detection solutions to identify and block potential exploitation attempts.
• Monitor Security Advisories: Stay informed on emerging threats and updates from Microsoft and cybersecurity communities.

This vulnerability highlights the ongoing risks posed by out-of-bounds memory errors in widely used software like Microsoft Outlook. 

The combination of local attack vector with user interaction requirement underscores the importance of user awareness alongside timely patch management to prevent arbitrary code execution attacks.

Leveraging Defensive AI for Endpoint Security to stop threats with 99.5% accuracy – Join Free Seminar