Critical Zero-Click Outlook Vulnerability Patched in Microsoft’s Latest Update
Microsoft’s June Patch Tuesday addressed 137 vulnerabilities, including a severe zero-click remote code execution (RCE) flaw in Outlook, tracked as CVE-2026-40361. The vulnerability, reported by security researcher Haifei Li developer of the zero-day detection system Expmon affects a shared DLL used by both Outlook and Word, enabling exploitation without user interaction.
Li described the flaw as a use-after-free bug that triggers automatically when a victim reads or previews a malicious email, bypassing the need for clicks or attachments. Since the vulnerability resides in Outlook’s email rendering engine, traditional mitigations such as blocking attachments or links are ineffective. However, forcing Outlook to display emails in plain text could reduce risk.
The researcher warned that the flaw mirrors CVE-2015-6172 (BadWinmail), a decade-old Outlook vulnerability he dubbed an “enterprise killer” due to its ability to compromise high-profile targets (e.g., CEOs or CFOs) via a single email. Like its predecessor, CVE-2026-40361 evades enterprise firewalls, delivering threats directly to inboxes. Microsoft rated the vulnerability as "exploitation more likely," though Li noted he only developed a proof-of-concept (PoC) rather than a fully weaponized exploit.
While crafting a functional exploit may be challenging, Li cautioned that threat actors’ ingenuity should not be underestimated. The patch is critical for organizations relying on Outlook and Exchange Server environments.
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security
"id": "mic1778682772",
"linkid": "microsoft-security",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Organizations relying on '
'Outlook and Exchange Server '
'environments',
'industry': 'Software/Technology',
'name': 'Microsoft',
'type': 'Technology Corporation'}],
'attack_vector': 'Email (malicious email preview/reading)',
'customer_advisories': 'Organizations using Outlook and Exchange Server '
'should apply the latest patches and consider forcing '
'plain-text email display as a mitigation.',
'description': 'Microsoft’s June Patch Tuesday addressed 137 vulnerabilities, '
'including a severe zero-click remote code execution (RCE) '
'flaw in Outlook, tracked as CVE-2026-40361. The '
'vulnerability, reported by security researcher Haifei Li, '
'affects a shared DLL used by both Outlook and Word, enabling '
'exploitation without user interaction. The flaw is a '
'use-after-free bug that triggers automatically when a victim '
'reads or previews a malicious email, bypassing the need for '
'clicks or attachments. The vulnerability resides in Outlook’s '
'email rendering engine, making traditional mitigations '
'ineffective. Forcing Outlook to display emails in plain text '
'could reduce risk.',
'impact': {'systems_affected': 'Microsoft Outlook, Microsoft Word, Exchange '
'Server environments'},
'initial_access_broker': {'high_value_targets': 'CEOs, CFOs, and other '
'high-profile users'},
'investigation_status': 'Patched (Proof-of-Concept developed, no active '
'exploitation reported)',
'lessons_learned': 'Zero-click vulnerabilities in email clients pose severe '
'risks, especially when targeting high-profile users. '
'Traditional mitigations like blocking attachments or '
'links may be ineffective against such flaws. Proactive '
'patching and alternative display modes (e.g., plain text) '
'can reduce exposure.',
'post_incident_analysis': {'corrective_actions': 'Microsoft released a patch '
'to address the '
'vulnerability. '
'Organizations should '
'enforce patch management '
'and consider additional '
'mitigations like plain-text '
'email display.',
'root_causes': 'Use-after-free vulnerability in '
'Outlook’s email rendering engine '
'(shared DLL with Word).'},
'recommendations': '1. Apply Microsoft’s June Patch Tuesday updates '
'immediately. 2. Configure Outlook to display emails in '
'plain text as a temporary mitigation. 3. Monitor for '
'unusual activity in Exchange Server environments. 4. '
'Educate high-profile users (e.g., CEOs, CFOs) about '
'zero-click threats.',
'references': [{'source': 'Security Researcher Haifei Li (Expmon)'}],
'response': {'containment_measures': 'Patch released (June Patch Tuesday), '
'forcing Outlook to display emails in '
'plain text',
'remediation_measures': 'Apply Microsoft’s June Patch Tuesday '
'updates'},
'title': 'Critical Zero-Click Outlook Vulnerability Patched in Microsoft’s '
'Latest Update',
'type': 'Zero-Click Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2026-40361 (Use-after-free bug in Outlook’s '
'email rendering engine)'}