On June 10, 2025, Microsoft released critical patches addressing multiple Microsoft Outlook remote code execution (RCE) vulnerabilities, which were discovered by the Morphisec team. Building on our previous discoveries, including last year’s Outlook RCE vulnerabilities presented at Defcon and BlueHat, and the form injection RCE CVE-2025-21357 patched in January 2025, we have identified two new severe vulnerabilities: CVE-2025-47171 and CVE-2025-47176.
CVE-2025-47171: Custom Forms RCE
At the heart of CVE-2025-47171 lies Microsoft Outlook’s custom forms, a legacy feature allowing developers and administrators to define specialized behavior for items like mail messages. This vulnerability requires authentication and post-synchronization of a malicious form, with minimal user interaction.
Disclosure Timeline:
- Reported: March 23, 2025
- Confirmed: May 1, 2025
- Patched: June 10, 2025
While serious, it is overshadowed by the second discovery.
CVE-2025-47176: Synchronization Objects RCE (Critical)
CVE-2025-47176 introduces a new category of RCE exploits targeting Microsoft Outlook synchronization objects. This vulnerability is:
- Trivial to exploit, requiring only authentication
- Zero-click, enabling automatic and persistent code execution
- Highly dangerous, affecting most versions of classic Outlook clients
Microsoft classified this as “Important,” but Morphisec deems it Critical due to its ease of exploitation—surpassing even last year’s form injection RCE in simplicity—and its potential for widespread impact.
Disclosure Timeline:
- Reported: April 17
- Confirmed: May 13
- Patched: June 10, 2025
Why This Matters
The attack surface for Microsoft Outlook exploitation is vast, with new critical and important vulnerabilities uncovered and disclosed every Patch Tuesday. Unlike many vulnerabilities that remain theoretical, both CVE-2025-47171 and CVE-2025-47176 have fully functional proofs-of-concept (PoCs) and are extremely easy to exploit.
Ransomware operators only need a single compromised endpoint to infiltrate an entire organization, making these vulnerabilities prime targets.
Recommendations
- Immediate Action: Update all classic Microsoft Outlook clients to the latest version to mitigate these risks.
- Compensatory Controls: Patching alone is not enough. Morphisec’s anti-ransomware solution, powered by patented Automated Moving Target Defense (AMTD) technology, provides a signatureless, preventive approach to minimize the impact of such exploits.
- Stay Proactive: With ransomware groups actively seeking entry points, organizations must bolster endpoint security to prevent catastrophic breaches.
How Morphisec Can Help
Morphisec’s application of AMTD to Microsoft Office significantly minimizes the exploitable attack surface, delivering proactive mitigation against known and zero-day vulnerabilities.
AMTD functions as a Virtual Patching layer, intercepting exploitation attempts at runtime and preventing compromise while organizations validate and deploy official security patches.
Security practitioners can see Morphisec in action by visiting www.morphisec.com/demo.
Credits
We extend our gratitude to researchers Arnold Osipov, Shmuel Uzan, and Michael Gorelik for their relentless efforts in discovering these vulnerabilities before they could be weaponized as zero-days. Their work continues to strengthen the security landscape and protect organizations worldwide.
Responsible Disclosure
To avoid immediate exploitation, we are withholding technical details. Morphisec plans to release full details in two months, giving organizations time to apply patches. Stay vigilant, prioritize updates, and deploy advanced security measures to protect your environment.
Stay up-to-date
Get the latest resources, news, and threat research delivered to your inbox.
