Microsoft has patched a critical zero-click remote code execution flaw in Outlook, and every email marketer, business owner, and growth team running campaigns through Exchange needs to pay attention now.
Among the 137 vulnerabilities addressed in Microsoft's May 2026 Patch Tuesday update is a critical Outlook flaw that could pose a serious threat to enterprises. Tracked as CVE-2026-40361, the vulnerability is classified by Microsoft as a remote code execution flaw. Security researcher Haifei Li confirmed it is a zero-click use-after-free bug, meaning it can be exploited for remote code execution against Outlook users without any action on their part.
What the Flaw Does and Why It Is Different
Most email-borne attacks need a recipient to click a link or open an attachment. This one does not. A malicious email crafted to exploit this flaw can trigger an attack as soon as it is rendered. When the email arrives, Outlook automatically processes it for display, and on an unpatched system, that normal step can result in malicious code executing without any user action.
The flaw allows code execution on the affected endpoint without user interaction, creating risk of data access, credential theft, and post-compromise activity under the user's privileges.
Li explained that the vulnerability affects a DLL used heavily by both Word and Outlook, and he demonstrated its potential impact in an Outlook and Exchange Server environment. Because the vulnerability resides in Outlook's email rendering engine, traditional mitigations such as blocking attachments or links are ineffective.
Microsoft assigned CVE-2026-40361 a CVSS score of 8.4 and a critical severity rating, marking exploitation as "more likely."
A Decade-Old Parallel: The "Enterprise Killer" Returns
Li compared CVE-2026-40361 to an Outlook vulnerability he discovered more than a decade ago. That earlier flaw, tracked as CVE-2015-6172 and named BadWinmail, was dubbed an "enterprise killer" by the researcher at the time, and the new flaw carries the same attack vector and the same potential impact.
The researcher's warning is direct. According to SecurityWeek, Li stated: "Essentially, anyone could compromise a CEO or CFO just by sending an email. The threat perfectly bypasses enterprise firewalls and is delivered directly to the inbox."
