The Cybersecurity and Infrastructure Security Agency (CISA) in the United States has issued an urgent alert to federal agencies concerning the exploitation of a vital vulnerability in Microsoft Outlook, identified as CVE-2024-21413.
This flaw in remote code execution (RCE), discovered by Haifei Li, a researcher at Check Point, stems from inadequate validation of inputs when processing emails that contain harmful links.
According to Microsoft, the successful exploitation of this vulnerability could enable an attacker to circumvent the Office Protected View and open the file in editing mode instead of the protected mode.
Microsoft Outlook Vulnerability (CVE-2024-21413)
This bug, named the “MonikerLink” flaw, allows attackers to exploit hyperlinks using the file:// protocol and manipulate URLs with an exclamation mark followed by arbitrary text.
By doing so, Outlook’s inherent protections are bypassed, permitting malicious Office documents to open in editing mode as opposed to the safer read-only mode.
It’s important to note that this vulnerability affects various Office products, such as Microsoft Office LTSC 2021, Microsoft 365 Apps for Business, Microsoft Outlook 2016, and Microsoft Office 2019.
Prior warnings from Microsoft highlighted that even previewing malicious emails in Outlook’s Preview Pane could initiate the exploitation, transforming it into a zero-click attack vector. The successful exploitation could result in:
- Theft of NTLM credentials.
- Execution of remote code.
- Possible complete system compromise.
CISA’s Reaction
On February 6, 2025, CISA included CVE-2024-21413 in its Known Exploited Vulnerabilities (KEV) catalog, directing federal agencies to secure their systems by February 27 pursuant to Binding Operational Directive (BOD) 22-01.
“A critical input validation vulnerability in Microsoft Outlook facilitates remote code execution,” CISA remarked.
CISA stressed that such vulnerabilities are frequently exploited by cybercriminals and state-sponsored actors, posing substantial threats to both governmental and private entities.
Both CISA and Microsoft suggest immediate measures to mitigate this risk:
- Implement Security Patches: Guarantee that all impacted products are updated with the newest security fixes.
- Turn Off NTLM Authentication: When viable, decrease reliance on NTLM authentication to prevent credential theft.
- Supervise Network Activity: Monitor for abnormal outbound connections to servers controlled by attackers.
- Provide User Education: Educate staff on identifying phishing attempts and avoiding dubious links or attachments.
- Activate Advanced Threat Protection: Utilize tools like Microsoft Defender to boost security surveillance.
The article “Critical Microsoft Outlook Vulnerability (CVE-2024-21413) Actively Exploited in Attacks – CISA Warns” was originally published on Cyber Security News.