BURSTA significant security vulnerability in the Microsoft Outlook email client could allow attackers to execute arbitrary code remotely, even if they require local access to trigger the exploit.
The vulnerability, designated as CVE-2025-47176, was released on June 10, 2025, and carries an “Important” severity rating with a CVSS score of 7.8.
The flaw affects the widely used email application and poses substantial risks to enterprise and individual users, particularly given that it requires only low-level privileges to exploit and operates without user interaction once triggered.
Microsoft Outlook Path Traversal Flaw (CVE-2025-47176)
The vulnerability centers around a path traversal issue involving ‘…/…//’ sequences within Microsoft Office Outlook, enabling authorized attackers to execute code locally on affected systems.
According to Microsoft’s technical analysis, the exploit carries a CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H vector string, indicating a local attack vector with low complexity requirements.
Despite the local classification, Microsoft emphasizes that this constitutes a Remote Code Execution (RCE) vulnerability because the term “remote” refers to the attacker’s location rather than the execution method.
The vulnerability’s impact spans all three core security principles: confidentiality, integrity, and availability, each rated as “high” in the CVSS assessment.
This comprehensive impact profile suggests that successful exploitation could lead to complete system compromise, allowing attackers to access sensitive data, modify system configurations, and potentially render systems unavailable.
The Privileges Required (PR:L) metric indicates that any authenticated user can trigger this vulnerability without requiring administrative or elevated privileges, significantly expanding the potential attack surface.
Security researchers from Morphisec, including Shmuel Uzan, Michael Gorelik, and Arnold Osipov, discovered and reported this vulnerability through coordinated disclosure practices.
The exploit mechanism involves manipulating file paths using directory traversal sequences, a technique commonly associated with Arbitrary Code Execution (ACE) attacks.
While the attack vector is classified as local (AV:L), the practical implications allow for remote code execution scenarios where attackers can leverage the vulnerability to run malicious code on target systems.
Importantly, Microsoft has confirmed that the Preview Pane is not an attack vector for this vulnerability, which may limit certain exploitation scenarios that typically rely on passive content rendering.
The User Interaction (UI:N) rating indicates that once the initial conditions are met, no further user intervention is required for successful exploitation.
Current threat intelligence suggests that the vulnerability has not been publicly disclosed prior to Microsoft’s announcement, and no active exploitation has been observed in the wild, with the Exploitability Assessment rating the likelihood of exploitation as “Unlikely.”
| Risk Factors | Details |
| Affected Products | Microsoft Outlook |
| Impact | Remote Code Execution (RCE) |
| Exploit Prerequisites | Low privileges (PR:L), local access (AV:L), no user interaction required (UI:N) |
| CVSS 3.1 Score | 7.8 (High) |
Security Recommendations
Microsoft has acknowledged the severity of CVE-2025-47176 but has indicated that security updates for Microsoft 365 are not immediately available.
The company has committed to releasing patches “as soon as possible” and will notify customers through revisions to the CVE information when updates become available.
This delay in patch availability heightens the urgency for organizations to implement compensatory security measures and monitor their Outlook deployments closely.
Organizations should prioritize monitoring for suspicious Outlook behavior, implement additional access controls where possible, and prepare for rapid deployment of security updates once they become available.
Given the low privilege requirements and high impact potential, this vulnerability represents a significant security concern that requires immediate attention from IT security teams across all sectors utilizing Microsoft Outlook in their communication infrastructure.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
The post Microsoft Outlook Vulnerability Let Attackers Execute Arbitrary Code Remotely appeared first on Cyber Security News.