Impact
The flaw in Microsoft Office Outlook permits an attacker to expose sensitive information that can then be used to perform spoofing over a network. This information disclosure is identified as CWE-200 and indicates a vulnerability to data exposure. The compromised data may allow malicious actors to send forged messages that appear legitimate, potentially undermining trust in communications and facilitating further attacks.
Affected Systems
The vulnerability affects a range of Microsoft products, including Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Outlook 2016, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition. No specific version information was provided, so all releases of the listed products are potentially impacted.
Risk and Exploitability
The CVSS score of 7.5 indicates high severity. The EPSS score of 1% denotes a relatively low probability of exploitation in the wild at present. This vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be network-based, as the description references activity over a network. An attacker must gain unauthorized network access to the affected Office or SharePoint services to trigger the disclosure. Overall, the risk can be described as moderate to high, depending on the network exposure and defensive controls such as email authentication mechanisms.
OpenCVE Enrichment