CISA warned U.S. federal agencies on Thursday to secure their systems against ongoing attacks targeting a critical Microsoft Outlook remote code execution (RCE) vulnerability.
Discovered by Check Point vulnerability researcher Haifei Li and tracked as CVE-2024-21413, the flaw is caused by improper input validation when opening emails with malicious links using vulnerable Outlook versions.
The attackers gain remote code execution capabilities because the flaw lets them bypass the Protected View (which should block harmful content embedded in Office files by opening them in read-only mode) and open malicious Office files in editing mode.
When it patched CVE-2024-21413 one year ago, Microsoft also warned that the Preview Pane is an attack vector, allowing successful exploitation even when previewing maliciously crafted Office documents.
As Check Point explained, this security flaw (dubbed Moniker Link) lets threat actors bypass built-in Outlook protections for malicious links embedded in emails using the file:// protocol and by adding an exclamation mark to URLs pointing to attacker-controlled servers.
The exclamation mark is added right after the file extension, together with random text (in their example, Check Point used “something”), as shown below:
*CLICK ME*
CVE-2024-21413 affects multiple Office products, including Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019, and successful CVE-2024-21413 attacks can result in the theft of NTLM credentials and the execution of arbitrary code via maliciously crafted Office documents.
On Thursday, CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, marking it as actively exploited. As mandated by the Binding Operational Directive (BOD) 22-01, federal agencies must secure their networks within three weeks by February 27.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the cybersecurity agency warned.
While CISA primarily focuses on alerting federal agencies about vulnerabilities that should be patched as soon as possible, private organizations are also advised to prioritize patching these flaws to block ongoing attacks.