Microsoft Patches Zero-Click Outlook RCE in 137-Flaw Update as Researcher Warns of CEO Email Risk
Updated
Updated · SecurityWeek · May 13
Microsoft Patches Zero-Click Outlook RCE in 137-Flaw Update as Researcher Warns of CEO Email Risk
5 articles · Updated · SecurityWeek · May 13
CVE-2026-40361 stands out in Microsoft’s May Patch Tuesday because the zero-click flaw can trigger remote code execution when an Outlook user merely reads or previews an email.
Haifei Li, credited with reporting the bug, said it sits in a DLL heavily used by Word and Outlook, making it hard to block; rendering mail in plain text is one mitigation.
Microsoft rated exploitation "more likely," and Li said the attack path could let an attacker compromise executives such as CEOs or CFOs directly through the inbox, bypassing enterprise firewalls.
Li has built only a proof of concept rather than a full code-execution exploit, but he compared the issue to his 2015 "BadWinmail" Outlook bug, which was dubbed an enterprise killer.
The patch was part of Microsoft’s May 2026 release covering 137 vulnerabilities, including 31 critical flaws across Office, Windows, Azure and other products.
Why do the same critical memory flaws still plague Microsoft's core products after decades of patches?
As AI accelerates exploit creation, is the monthly security patch cycle now obsolete?