A recent cybersecurity discovery has unveiled a critical vulnerability, CVE-2024-38021, impacting various Microsoft Outlook applications. This zero-click remote code execution (RCE) vulnerability, identified by Morphisec researchers, poses significant risks such as potential data breaches and unauthorized access.
Unlike a previously disclosed vulnerability, CVE-2024-30103, which required authentication, this new vulnerability does not necessitate any authentication process. Microsoft has classified this vulnerability as ‘Important,’ distinguishing between trusted and untrusted senders. While it is zero-click for trusted senders, untrusted senders require one-click user interaction.
The severity of this vulnerability has led researchers to request Microsoft to reconsider its classification as ‘Critical’ due to its potential for widespread impact, especially with trusted senders. Although the complexity for exploitation is higher compared to the previous vulnerability, CVE-2024-30103, the possibility of simplifying the attack process by chaining multiple vulnerabilities remains a concern.
The timeline of events surrounding this vulnerability includes its initial report to Microsoft on April 21, 2024, confirmation on April 26, 2024, and subsequent inclusion in Microsoft’s Patch Tuesday updates on July 9, 2024. The prompt patch release by Microsoft has been acknowledged, considering the critical nature of the vulnerability and the challenges posed by previous patches.
Due to the severe risks posed by CVE-2024-38021, with its zero-click nature for trusted senders and lack of authentication requirements, immediate action is necessary. Attackers could exploit this vulnerability to execute arbitrary code, gain unauthorized access, and cause significant damage without user interaction.
It is crucial for users to deploy the latest patches for Microsoft Outlook and Office applications promptly. Additionally, enhancing email security measures, such as disabling automatic email previews, is recommended to mitigate the risks associated with this vulnerability.