Severity
High
Analysis Summary
A critical remote code execution (RCE) vulnerability in Microsoft Outlook, tracked as CVE-2025-62562, has been patched by Microsoft. Publicly disclosed on December 9, 2025, the flaw is classified as Important with a CVSS score of High. The vulnerability arises from a use-after-free weakness in Outlook, which can allow attackers to execute arbitrary code on affected systems. While the issue requires local user interaction, it represents a practical threat due to the potential for social engineering attacks.
Exploitation of this vulnerability is unique in that it does not rely on the Preview Pane; instead, attackers must trick users into replying to a specially crafted email, which triggers the code execution chain. This requirement adds complexity for attackers but does not eliminate the risk, as convincing users to interact with emails is a common technique in phishing campaigns. The flaw affects multiple Microsoft Office versions, including Word 2016 (32-bit & 64-bit), Office LTSC 2019–2024, Microsoft 365 Apps for Enterprise, and SharePoint Server editions.
Microsoft has released security updates for most affected products, with updates like KB5002806 for Word 2016 and corresponding patches for other Office editions. Build number 16.0.5530.1000 applies to Word 2016. Updates are available via Windows Update and the Microsoft Download Center, though patches for Office LTSC for Mac 2021 and 2024 are not yet released. Administrators managing multiple systems are advised to deploy patches across all editions following organizational deployment standards and prioritize critical updates where available.
For systems without immediate patch availability, Microsoft recommends exercising caution with unsolicited emails and avoiding replying to suspicious messages. The vulnerability was discovered and reported by Haifei Li from EXPMON through coordinated disclosure. As of now, there is no evidence of active exploitation or public proof-of-concept code, but organizations should act promptly to mitigate risk, maintain user awareness, and monitor for any suspicious activity related to Outlook communications.
Impact
- Code Execution
- Gain Access
Indicators of Compromise
CVE
CVE-2025-62562
Affected Vendors
Remediation
- Apply the latest Microsoft security updates for all affected Office versions immediately, including: KB5002806 for Word 2016 (32-bit & 64-bit), and Updates for Office LTSC 2019–2024, Microsoft 365 Apps for Enterprise, and SharePoint Server editions
- For Mac users, monitor for upcoming patches for Office LTSC 2021 and 2024 and apply them as soon as they become available.
- Reboot systems after installing updates to ensure the patches take effect.
- Educate users to avoid replying to unsolicited or suspicious emails, as exploitation requires user interaction.
- Implement email filtering and anti-phishing solutions to block malicious or suspicious messages before they reach end users.
- Restrict local user privileges where possible to reduce the impact of potential code execution.
- Monitor Outlook logs and system behavior for unusual activity that could indicate attempted exploitation.
- Ensure endpoint protection solutions are up to date to detect malicious email attachments or abnormal processes.
- Maintain ongoing security awareness training to help users recognize and report suspicious emails.
- Follow organizational patch management policies to ensure timely deployment across all systems.