Outlook Denial of Service Vulnerability

MEDIUM (5.0) No Patch (9331 days)
denial-of-servicemicrosoftoutlookwindows

Threat Intelligence

Low Risk
EPSS Score: 15.51% chance of exploitation (percentile: 94%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Microsoft Outlook and Outlook Express allow remote attackers to cause a denial of service by sending email messages with blank fields such as BCC, Reply-To, Return-Path, or From. This vulnerability can be exploited remotely without requiring any authentication or user interaction.

Am I affected?

You're affected if you use Microsoft Outlook 2000 or earlier versions. Check with: dir /b /a-d %appdata%\Microsoft\Outlook\* (for Windows) or find / -name "OUTLOOK.EXE" -print (on Linux/macOS).

Note: This vulnerability is not related to the more widely known Outlook Denial of Service Vulnerability (CVE-2004-2872), which affects later versions of Microsoft Outlook.

Affected Products

Microsoft / Outlook

How to fix

  1. Upgrade to a version of Microsoft Outlook that is not affected by this vulnerability, such as Outlook 2007 or later.
  2. For immediate mitigation, you can block incoming emails from unknown senders and restrict the use of blank fields in email messages.

References