Microsoft Outlook has a recently found vulnerability that allows attackers to run malicious malware on target PCs. Depending on the sender, this security weakness discovered by Morphisec researchers can be exploited without any user involvement.
The vulnerability, known as CVE-2024-38021, gives unauthorized attackers the ability to remotely execute code (RCE) on computers owned by other parties. When emails are sent from reliable senders, zero-click exploitation can occur, according to Morphisec's research, despite Microsoft's initial communication that the vulnerability requires users to allow prohibited content.
Morphisec has pushed Microsoft to rank the vulnerability as critical due to its serious consequences, especially with the zero-click vector for trusted senders. As of right now, Microsoft has assigned it a high severity CVSS score of 8.8.
The exploitation of CVE-2024-38021 may result in harmful activity, illegal access, and data leakage. The risk is greatly increased by not requiring user identification, which opens the door to mass exploitation.
On April 21, Morphisec notified Microsoft of the vulnerability, and as of July 9, a patch is available. Office 2016, 2019, LTSC 2021, and Microsoft 365 Apps for Enterprise are among the items that are impacted. Microsoft recommends customers to update their software as soon as possible, even if there are no known active exploitation situations.
Microsoft also patched another RCE vulnerability (CVE-2024-30103) in Outlook in June. Under certain circumstances, this vulnerability may potentially be exploited without any user involvement. At the Defcon 32 hacker conference in Las Vegas in August, there will be presentations of both vulnerabilities' technical details.
Code Labs Academy Cybersecurity Bootcamp: Learn Cybersecurity Online with Funding