CVE-2025-21259: Microsoft Outlook Spoofing Vulnerability

Overview

Severity

Medium (CVSS 5.3)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Feb

Released

2025-02-11

EPSS Score

0.47% (percentile: 64.5%)

FAQ

According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability? An attacker's message can inherit the sender's email address from another message in the UI. The attacker cannot control which message it inherits from. This issue occurs exclusively for messages in the Junk folder, as it is the only folder where the app displays the sender's email address. The attacker cannot affect confidentiality or availability.

Affected Products (1)

Apps

• Microsoft Outlook for Android

Security Updates (1)

• Release Notes

Acknowledgments

Jérémie Fréreault, Jérémie Fréreault

Revision History

• 2025-02-11: Information published.