A newly released security advisory from AKATI Sekurity is raising concerns over a high-risk vulnerability in Microsoft Outlook that could allow attackers to run malicious code on a victim's system. The issue, disclosed in December 2025, affects multiple versions of Microsoft Office and Outlook across both Windows and macOS environments.

At a time when email remains one of the most common attack vectors, this vulnerability highlights just how dangerous a single malicious message can be.

What Is the Vulnerability About?

The flaw is tracked as CVE-2025-62562 and is classified as a use-after-free remote code execution (RCE) vulnerability. In simple terms, it is a memory corruption issue where Outlook may attempt to access memory that has already been freed. If exploited, this can allow attackers to execute arbitrary code on the affected system.

The vulnerability carries a CVSS 3.1 score of 7.8, placing it firmly in the high-severity category. While it does not require special system privileges, it does rely on user interaction, which is often the weakest link in security chains.

How an Attack Could Happen

According to the advisory, the attack scenario is worryingly straightforward. A malicious actor sends a specially crafted email or attachment to the victim. When the recipient interacts with the message, whether by opening it, previewing it in the Reading Pane, or replying, Outlook may trigger the vulnerable code path

If successful, the attacker gains the ability to run code with the same privileges as the user. From there, the damage can escalate quickly. Potential outcomes include malware installation, data theft, lateral movement within the network, and further compromise if combined with other vulnerabilities.

Because Outlook is widely used by executives, administrators, and other high-value users, the potential impact on confidentiality and system integrity is particularly severe.

Are There Active Attacks?

As of the advisory's publication date, there are no confirmed reports of active exploitation and no publicly available proof-of-concept code. However, the report cautions that the vulnerability is highly attractive to attackers and could easily be weaponised in phishing campaigns.

In cybersecurity terms, this places organisations in a dangerous window: a known flaw with high impact, but before widespread attacks begin.

Products Affected

The vulnerability affects a broad range of Microsoft products, including multiple Office and Outlook versions. Impacted software includes Microsoft Office 2016, Office 2019, Office LTSC 2021 and 2024, Microsoft 365 Apps for Enterprise, and even SharePoint Server editions. macOS users are not exempt, with Office LTSC for Mac 2021 and 2024 also listed as affected.

This wide scope means both enterprise and individual users should treat the advisory seriously.

What Organisations and Users Should Do Now

AKATI Sekurity is clear on its primary recommendation: apply Microsoft's December 2025 security updates immediately. Patching is the most effective way to eliminate the risk entirely.

Until patches are fully deployed, the advisory also suggests several practical risk-reduction steps. These include tightening email gateway filtering, blocking suspicious attachments, disabling Outlook's Reading or Preview Pane, and preventing automatic downloading of external content. Educating users to avoid interacting with unexpected emails remains a critical line of defence.

A Timely Reminder About Email Security

This Outlook vulnerability serves as another reminder that email remains one of the most dangerous entry points for attackers. Even without confirmed large-scale exploitation, the combination of high severity and everyday user interaction makes this flaw particularly concerning.

For organisations and individuals alike, staying up to date with patches and maintaining cautious email habits are no longer optional. In an environment where a single click or preview can have serious consequences, proactive security measures make all the difference.