CVE-2024-38021: Zero-Click Vulnerability Discovered in Microsoft Outlook

Cybersecurity researchers at Morphisec have discovered a critical zero-click remote code execution (RCE) vulnerability, CVE-2024-38021, affecting most Microsoft Outlook applications. This vulnerability allows attackers to execute malicious code on a victim’s system without any user interaction, making it a particularly dangerous threat.

Unlike the previously disclosed CVE-2024-30103, which required authentication, this new vulnerability can be exploited with a simple email from a trusted sender, making it incredibly easy for attackers to launch widespread attacks.

While Microsoft has rated this vulnerability as “Important,” Morphisec researchers are urging Microsoft to reassess it as “Critical” due to its zero-click nature and potential for widespread impact. The ability to execute code remotely without any user interaction poses a significant risk of data breaches, unauthorized access, and other malicious activities.

Morphisec plans to release the technical details and proof-of-concept (POC) for both CVE-2024-30103 and CVE-2024-38021 at the DEF CON 32 conference in Las Vegas. The presentation, titled “Outlook Unleashing RCE Chaos: CVE-2024-30103 & CVE-2024-38021,” will be delivered by Michael Gorelik and Arnold Osipov, offering a deep dive into the vulnerabilities and their potential impact.

Microsoft has released a patch for CVE-2024-38021 as part of its July 2024 Patch Tuesday updates, along with patches for four other zero-day vulnerabilities (CVE-2024-38112, CVE-2024-38080, CVE-2024-35264, CVE-2024-37985). Users are strongly urged to apply these updates immediately to protect their systems.

In addition to patching, organizations should implement robust email security measures, such as disabling automatic email previews, and educate users about the risks associated with opening emails from unknown or suspicious sources.