CVE-2024-21413 : Microsoft Outlook Remote Code Execution Vulnerability

Microsoft Outlook Remote Code Execution Vulnerability

Published 2024-02-13 18:16:00

Updated 2025-02-07 02:00:02

Source Microsoft Corporation

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2024-21413

Microsoft » Office » Version: 2019
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:*
Matching versions
Microsoft » Office » Version: 2016
cpe:2.3:a:microsoft:office:2016:*:-:*:-:*:-:*
Matching versions
Microsoft » 365 Apps » Version: N/A Enterprise Edition
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:*
Matching versions
Microsoft » Office Long Term Servicing Channel » Version: 2021
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:*:*:*
Matching versions

CVE-2024-21413 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Microsoft Outlook Improper Input Validation Vulnerability

CISA required action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA description:

Microsoft Outlook contains an improper input validation vulnerability that allows for remote code execution. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode.

Notes:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413 ; https://nvd.nist.gov/vuln/detail/CVE-2024-21413

Added on 2025-02-06 Action due date 2025-02-27

Exploit prediction scoring system (EPSS) score for CVE-2024-21413

EPSS FAQ

93.87%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-21413

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	Microsoft Corporation	2024-02-13
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/...	N/A	N/A	MS-CVE-2024-21413	2024-02-13
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2024-21413

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: secure@microsoft.com (Secondary)

References for CVE-2024-21413

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413

CVE-2024-21413 - Security Update Guide - Microsoft - Microsoft Outlook Remote Code Execution Vulnerability
Patch;Vendor Advisory
https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/

The Risks of the #MonikerLink Bug in Microsoft Outlook and the Big Picture - Check Point Research