Microsoft Outlook Flaw Opens Door to Remote Code Attacks

Microsoft is warning users of a critical vulnerability in Outlook that could allow attackers to execute arbitrary code remotely, despite requiring local access to initiate. Tracked as CVE-2025-47176, the flaw was disclosed on June 10 with a CVSS score of 7.8, rated “Important.” The vulnerability stems from a path traversal issue involving ‘…/…//’ sequences, allowing authenticated attackers with low privileges to compromise systems without user interaction.

Though the attack vector is classified as local, Microsoft considers it a Remote Code Execution (RCE) issue due to the attacker’s ability to trigger malicious code execution from a remote location. The flaw impacts confidentiality, integrity and availability—each rated “high.” Microsoft confirmed that the Preview Pane is not an attack vector, potentially limiting exposure. No exploit activity has been observed in the wild, and a patch is not yet available. Organizations are urged to monitor Outlook deployments and prepare for rapid patch deployment once updates are released.