Mastodawn

Well dang CVE-2025-21298

This bug rates a CVSS 9.8 and allows a remote attacker to execute code on a target system by sending a specially crafted mail to an affected system with Outlook. The specific flaw exists within the parsing of RTF files.

https://www.zerodayinitiative.com/blog/2025/1/14/the-january-2025-security-update-review

Zero Day Initiative — The January 2025 Security Update Review

Welcome to the first Patch Tuesday of the new year. Even while preparing for Pwn2Own Automotive , the second Tuesday still brings with it a bevy of security updates from Adobe and Microsoft. Take a break from avoiding your New Year’s resolutions and join us as we review the details of their latest

Zero Day Initiative

Show thread

NosirrahSec 🏴‍☠️ guillotine enthusiast Jan 14

@mttaggart UGGGGGGGGH

This looks bad.

Show thread

NosirrahSec 🏴‍☠️ guillotine enthusiast Jan 14

@mttaggart THANKS IM CURED

Show thread

Taggart

Jan 14

@NosirrahSec Lmao right? Just disable HTML email here in 2025, NBD

Show thread

Jeffrey Jan 14

@mttaggart we almost had the seventh(!) zero click RCE in Outlook in two years. Although this is very close...

I summed up the other 6 here: https://infosec.exchange/@jtig/112768122980712688

Jeffrey (@jtig@infosec.exchange)

Very hot take: Outlook (classic) should be regarded as a high-risk application at this point, after the numerous critical vulnerabilities that keep being patched. These CVE's are responsible for zero-click RCE or token theft in Outlook: - july 2024: [CVE-2024-38021](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38021) - june 2024: [CVE-2024-30103](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30103) (requires user auth) - february 2024: [CVE-2024-21413](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413) - august 2023: [CVE-2023-35384](https://msrc.microsoft.com/update-guide/en-us/advisory/CVE-2023-35384) - may 2023: [CVE-2023-29324](https://msrc.microsoft.com/update-guide/en-us/advisory/CVE-2023-29324) - march 2023: [CVE-2023-23397](https://msrc.microsoft.com/update-guide/en-us/advisory/CVE-2023-23397) Outlook Web works just fine for me 🤷

Infosec Exchange