CVE-2026-42893 – Microsoft Outlook for iOS Tampering Vulnerability

A tampering vulnerability exists in Microsoft Outlook for iOS involving improper neutralization of special command elements in M365 Copilot. An unauthorized attacker could exploit this vulnerability over a network to perform tampering actions. Exploitation requires user interaction, but no attacker privileges are needed. Microsoft has released an official fix.

CVSS Score: 7.4

SEVERITY: Important

THREAT:
This vulnerability could allow an attacker to tamper with trusted application behavior or content by abusing command injection conditions. The main risk is integrity impact, where attacker-controlled input may influence actions beyond the intended security boundary.

EXPLOITS:
No public exploit or proof-of-concept (PoC) exploit code has been confirmed. The vulnerability is not reported as exploited, and exploitation is assessed as less likely. Exploit code maturity is listed as Unproven.

TECHNICAL SUMMARY:
The vulnerability is caused by improper neutralization of special elements used in a command, classified as CWE-77: Command Injection. The issue affects M365 Copilot functionality associated with Microsoft Outlook for iOS. An attacker could send crafted content or requests that require user interaction and may result in tampering over a network. The CVSS vector shows low attack complexity, no privileges required, required user interaction, changed scope, and high integrity impact.

EXPLOITABILITY:
Affected software is Microsoft Outlook for iOS with vulnerable M365 Copilot functionality. Exploitation requires network access and user interaction, but no prior privileges.

BUSINESS IMPACT:
Organizations using Outlook for iOS and M365 Copilot may face integrity risks if attackers manipulate trusted mobile productivity workflows. Successful exploitation could damage trust in communications, alter expected application behavior, or support broader social engineering and workflow manipulation attacks.

WORKAROUND:
Apply the official Microsoft update. If patching is delayed, limit exposure to suspicious messages or prompts, educate users to avoid interacting with unexpected content, and monitor mobile application activity for unusual behavior.