PatchSiren cyber security CVE debrief
CVE-2025-21361 Microsoft CVE debrief
CVE-2025-21361 is a high-severity remote code execution vulnerability in Microsoft Outlook affecting macOS platforms. The vulnerability was published on January 14, 2025, and last modified on May 19, 2026. Microsoft has released patches and vendor guidance to address this issue. The vulnerability carries a CVSS 3.1 score of 7.8 (HIGH severity) with a vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, user interaction required, and high impacts to confidentiality, integrity, and availability. Affected products include Microsoft Office 2024 LTSC for macOS, Microsoft Office LTSC 2021 for macOS, and Microsoft Outlook for macOS versions prior to 16.93. The weakness has been associated with CWE-641 (Improper Restriction of Names for Files and Other Resources) per Microsoft's security response center, though NVD has classified it as NVD-CWE-noinfo. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Vendor
- Microsoft
- Product
- Microsoft Office LTSC for Mac 2021
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-01-14
- Original CVE updated
- 2026-05-19
- Advisory published
- 2025-01-14
- Advisory updated
- 2026-05-19
Who should care
Organizations running Microsoft Office or Outlook on macOS endpoints should prioritize patching. Security teams managing macOS fleets with Microsoft productivity software, particularly those in mixed-platform environments, should verify update deployment. End users on macOS should ensure their Office applications are updated to protected versions.
Technical summary
This vulnerability allows remote code execution in Microsoft Outlook on macOS through improper restriction of names for files and other resources (CWE-641). The attack requires user interaction but no privileges, and can result in complete compromise of confidentiality, integrity, and availability on affected systems. The vulnerability is locally exploitable with low complexity, typically indicating that an attacker must convince a user to open a malicious file or interact with malicious content.
Defensive priority
HIGH
Recommended defensive actions
- Apply Microsoft security updates for affected Office and Outlook for macOS versions as directed in the vendor advisory
- Update Microsoft Outlook for macOS to version 16.93 or later
- Update Microsoft Office 2024 LTSC for macOS to the latest patched version
- Update Microsoft Office LTSC 2021 for macOS to the latest patched version
- Review and validate endpoint protection configurations on macOS systems running Microsoft Office applications
- Monitor for anomalous Outlook process behavior or unexpected file system operations
- Consider application control policies to restrict unauthorized code execution within Office applications
Evidence notes
CVSS vector and scoring derived from NVD analysis. Affected product versions confirmed through CPE criteria in NVD record. CWE classification reflects both Microsoft (CWE-641) and NVD (NVD-CWE-noinfo) assessments.
Official resources
-
CVE-2025-21361 CVE record
CVE.org
-
CVE-2025-21361 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Microsoft disclosed this vulnerability on January 14, 2025, with subsequent modifications to the advisory through May 19, 2026.