One of many 137 vulnerabilities patched by Microsoft with its Patch Tuesday updates is a essential Outlook flaw that might pose a severe menace to enterprises.
The Outlook vulnerability is tracked as CVE-2026-40361 and it has been described by Microsoft as a distant code execution vulnerability affecting Phrase.
Haifei Li, developer of the zero-day detection system Expmon, has been credited by the tech large for reporting the vulnerability.
In a submit on X, Li defined that the vulnerability impacts a DLL used closely by each Phrase and Outlook, and he demonstrated its potential influence in an Outlook and Change Server setting.
In line with the researcher, CVE-2026-40361 is a zero-click use-after-free bug that may be exploited for distant code execution in opposition to Outlook customers.
“You positively wish to patch this sooner slightly than later,” Li warned, including, “The hazard of such 0-click bugs in Outlook is that they’re triggered as quickly because the sufferer reads or previews the e-mail — no clicking of hyperlinks or attachments is required.”
“For the reason that bugs reside in Outlook’s electronic mail rendering engine, it’s tough to mitigate or block (although particularly setting Outlook to render emails solely in plain textual content format is a sound mitigation),” the researcher mentioned.
Li in contrast CVE-2026-40361 to an Outlook vulnerability he found greater than a decade in the past. That flaw, tracked as CVE-2015-6172 and named BadWinmail, was dubbed an “enterprise killer” on the time by the researcher, and the brand new flaw has the identical assault vector and the identical potential influence.
“Primarily, anybody might compromise a CEO or CFO simply by sending an electronic mail,” Li defined. “The menace completely bypasses enterprise firewalls and is delivered on to the inbox.”
Microsoft has assigned the vulnerability an ‘exploitation extra doubtless’ ranking.
However, Li admitted that he developed solely a PoC for CVE-2026-40361, slightly than a working exploit that achieves code execution. He famous that whereas growing a working exploit wouldn’t be simple, the creativity of menace actors shouldn’t be underestimated.
