CVE-2019-1204 — Microsoft Outlook Elevation of Privilege Vulnerability

Executive Summary

An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the formatting of the messages. An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB). To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email. This update addresses the vulnerability by ensuring Office fully validates incoming email formatting before processing message content.

Overview

Important

MS Severity

Not Exploited

MS Exploit Status

More Likely

MS Exploit Likelihood

Category Elevation of Privilege

Released Aug 13 2019

Last Updated Aug 13 2019

Publicly Disclosed No

CISA KEV Not Listed

Known Exploits None Known

EPSS Score 0.04423 — 0.90108 percentile

EPSS Score

0.04423

probability of exploitation in the next 30 days

0.90108 percentile - updated 2026-06-20

View on FIRST.org

Affected Products

11 affected products

Product	KB Article	Severity	Impact	Restart Required
Microsoft Office 2019 for 32-bit editions	`Click to Run (Security Update)`	Important	Elevation of Privilege	No
Microsoft Office 2019 for 64-bit editions	`Click to Run (Security Update)`	Important	Elevation of Privilege	No
Microsoft Outlook 2010 Service Pack 2 (32-bit editions)	`4475573 (Security Update)`	Important	Elevation of Privilege	Maybe
Microsoft Outlook 2010 Service Pack 2 (64-bit editions)	`4475573 (Security Update)`	Important	Elevation of Privilege	Maybe
Microsoft Outlook 2013 RT Service Pack 1	`4475563 (Security Update)`	Important	Elevation of Privilege	Maybe
Microsoft Outlook 2013 Service Pack 1 (32-bit editions)	`4475563 (Security Update)`	Important	Elevation of Privilege	Maybe
Microsoft Outlook 2013 Service Pack 1 (64-bit editions)	`4475563 (Security Update)`	Important	Elevation of Privilege	Maybe
Microsoft Outlook 2016 (32-bit edition)	`4475553 (Security Update)`	Important	Elevation of Privilege	Maybe
Microsoft Outlook 2016 (64-bit edition)	`4475553 (Security Update)`	Important	Elevation of Privilege	Maybe
Office 365 ProPlus for 32-bit Systems	`Click to Run (Security Update)`	Important	Elevation of Privilege	No
Office 365 ProPlus for 64-bit Systems	`Click to Run (Security Update)`	Important	Elevation of Privilege	No

Patches

4 patches

Article	Type	Restart
`Click to Run`	Security Update	No
`4475573`	Security Update	Maybe
`4475563`	Security Update	Maybe
`4475553`	Security Update	Maybe

Known Exploits

No known exploits have been linked for this CVE yet. When available, exploit references will be sourced from public repositories and may be unverified, incomplete, or non-functional. Always review code carefully before use in any environment.

Acknowledgments

Nicolas Joly of Microsoft Corporation

References

MSRC Advisory MITRE NVD