Impact
The vulnerability involves the deserialization of untrusted data in Microsoft Office Outlook, which is an instance of Untrusted Deserialization (CWE‑502). An attacker who can supply crafted data to Outlook can exploit this flaw to spoof sender addresses over a network. This spoofs authentication, enabling the attacker to impersonate legitimate users and potentially deliver malicious content, undermining both the integrity and confidentiality of email communications.
Affected Systems
Affected products include Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, Microsoft SharePoint Server Subscription Edition, and Microsoft Word 2016. All current releases of these products may be vulnerable, as no product‑specific version details are provided.
Risk and Exploitability
The CVSS base score of 7.5 indicates high severity, while the EPSS score of 4% shows that, although exploitation has been observed, it remains relatively uncommon. The vulnerability is not listed in the CISA KEV catalog, reflecting a lower immediate threat level. Attackers would need to deliver malicious data to Outlook components over the network, making the likely attack vector remote. If successful, the exploit could compromise the integrity of email messages and facilitate phishing or other spoofing attacks.
OpenCVE Enrichment