Windows permanent security problem triggers threat level 2 at the BSI
A critical security gap in Windows OLE alerts the BSI. The authority has upgraded the IT threat situation to yellow level. Users are at risk simply by viewing an email in Outlook. The problem could develop into an ongoing issue.
Windows OLE: Critical vulnerability discovered
A critical security flaw in Windows Object Linking and Embedding (OLE) is causing trouble again. The vulnerability, which occurs in Windows and various Microsoft products, could become a permanent problem. What is particularly worrying is that attackers can exploit the vulnerability without requiring active user interaction.
The vulnerability, identified as CVE-2025-21298, allows attackers to execute malicious code on the user’s system simply by opening or viewing a crafted email in the preview of Microsoft Outlook. This fact makes the vulnerability particularly dangerous, as even careful users can easily fall victim.
BSI upgrades IT threat situation
The Federal Office for Information Security (BSI) has based on the The IT threat level is level 2 based on the severity of the threat (Yellow) upgraded. This means “increased observation of abnormalities with temporary disruption to regular operations”. Although Microsoft states that it has not yet observed any active exploitation of the vulnerability, the company considers the likelihood of future attacks to be high.
Recommended protective measures
To minimize the risk, the BSI urgently recommends the following measures:
- Prompt installation of security updates provided by Microsoft
- Activation of a workaround if updates cannot be installed immediately
- Raise user awareness of the dangers
The recommended workaround is to configure Microsoft Outlook to display emails in plain text format by default. This can be done via the settings in Outlook’s trust center or through Group policies are implemented.
Plain text as effective protection
IT security experts point out that although the text-only configuration may limit the convenience of using email, it provides effective protection against this and potentially future vulnerabilities. In the plain text view, emails are displayed without images, special fonts or animations, which significantly reduces the attack surface.
Other critical security vulnerabilities
In addition to the OLE vulnerability, Microsoft has closed other critical security holes in the current patch day, including one in the Windows Remote Desktop Service and several privilege escalation vulnerabilities. Attack attempts have already been observed for some of these vulnerabilities, underscoring the urgency of security updates.
Target for cybercriminals
OLE, a technology that has been integrated into Windows since the early 1990s, allows objects to be linked and embedded between different applications. Despite its age, it still plays an important role in modern Windows systems, making it an attractive target for cybercriminals.
How dangerous is the gap? The security vulnerability (CVE-2025-21298) is classified as particularly critical because it can be exploited without active user interaction. Simply opening or viewing a crafted email in the Outlook preview is enough for a successful attack. Due to the severity, the BSI has upgraded the IT threat situation to level 2 (yellow).
Although Microsoft has not observed any active attacks to date, the likelihood of future attacks is considered high. How can I protect myself? The most important protective measure is to promptly install the security updates provided by Microsoft.
As an immediate measure, users should switch to plain text display of emails in Microsoft Outlook. This setting can be activated via the Outlook Trust Center or through Group Policy. Although this limits the convenience of email, it offers effective protection against this and similar vulnerabilities. What is OLE anyway? OLE (Object Linking and Embedding) is a technology that has been integrated into Windows since the 1990s. It allows objects to be linked and embedded between different applications, such as embedding Excel spreadsheets into Word documents.
Despite its age, the technology also plays an important role in modern Windows systems, making it a popular target for attacks. According to experts, the current vulnerability could develop into a permanent problem. Which systems are affected? The vulnerability affects all current Windows versions and various Microsoft products. Systems on which Microsoft Outlook is installed are particularly at risk, as exploitation is possible simply by viewing emails.
Other Microsoft applications that use OLE technology could also be affected. Microsoft is working on further updates to secure all affected products. Has the loophole already been exploited? According to official information from Microsoft, no active exploitation of the vulnerability has been observed in the wild. However, the company rates the likelihood of future attacks as high. Security experts warn that the vulnerability’s ease of exploitation makes it particularly attractive to cybercriminals.
The BSI therefore urgently recommends taking preventative protective measures. How do I recognize an attack? Detecting an attack is particularly difficult because it does not require active user interaction. Unexpected system behavior or performance drops after opening emails are suspicious. If in doubt, users should take their system offline and have it checked by IT security experts. The best defense, however, is to preventively switch to text-only emails and apply updates promptly.
Are there any further updates? In addition to the OLE vulnerability, Microsoft has closed other critical security gaps in the current patch day. These include vulnerabilities in the Windows Remote Desktop Service and several privilege escalation issues. The company strongly recommends that you install all available security updates promptly, as attempted attacks have already been observed for some of these vulnerabilities. Text-only emails: What’s changing? For plain text emails, all HTML formatting, images, and animations are removed.
This means that emails are displayed without special fonts, embedded images or formatting. While this limits the visual display, it provides effective protection against this and similar vulnerabilities. Links remain functional, but are displayed as plain text.
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.
