Micropatches Released for Microsoft Outlook Remote Code Execution Vulnerability (CVE-2025-21357)

January 2025 Windows updates brought a fix for CVE-2025-21357, a remote code execution vulnerability in Microsoft Outlook. This vulnerability allows an attacker with access to the Exchange server with user's credentials to execute arbitrary code on user's computer when the user connects to Exchange with Outlook.

The vulnerability was reported to Microsoft by security researchers Jeongmin Choi, JongGeon KIM, Kiyeon Jeong, JunHyuk Im, and SeungYun LEE with bObffice (BOB13th), and Michael Gorelik and Arnold Osipov with Morphisec.

Michael Gorelik with Morphisec privately shared details and POC with us,which allowed us to reproduce the issue and create our own patches for security-adopted Outlook versions that are no longer receiving updates from Microsoft.

 

Microsoft's Patch

Microsoft patched this issue by initializing a previously uninitialized variable in the affected data structure to 0, preventing a previously possible invalid pointer dereference.

 

Our Micropatch

Our patch is logically equivalent to Microsoft's.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Microsoft Office with all available Windows Updates installed:

1. Microsoft Office 2010 - fully updated
2. Microsoft Office 2013 - fully updated
   

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Michael Gorelik with Morphisec for privately sharing details and POC with us, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 as well as Office 2016 and Office 2019 when they all go out of support in October 2025, allowing you to keep using them for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.