Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability

February 6, 2025

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to federal agencies to fortify their systems against ongoing attacks that are exploiting a critical remote code execution (RCE) vulnerability in Microsoft Outlook. The vulnerability, known as CVE-2024-21413, was discovered by Check Point vulnerability researcher Haifei Li. It stems from a failure to validate inputs correctly when opening emails containing malicious links using susceptible versions of Outlook.

The flaw enables attackers to gain remote code execution capabilities as it allows them to circumvent the Protected View, which should prevent harmful content embedded in Office files by opening them in read-only mode. Instead, malicious Office files are opened in editing mode. Microsoft, when patching CVE-2024-21413 a year ago, also cautioned that the Preview Pane is an attack vector, permitting successful exploitation even when previewing maliciously crafted Office documents.

As Check Point elaborated, this security flaw, nicknamed Moniker Link, permits threat actors to evade built-in Outlook protections for malicious links embedded in emails using the file:// protocol. They achieve this by adding an exclamation mark to URLs pointing to attacker-controlled servers. The exclamation mark is inserted right after the file extension, along with random text.

This vulnerability affects several Office products, including Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019. Successful attacks exploiting CVE-2024-21413 can lead to the theft of NTLM credentials and the execution of arbitrary code via maliciously crafted Office documents.

On Thursday, CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, indicating that it is being actively exploited. As required by the Binding Operational Directive (BOD) 22-01, federal agencies must secure their networks within three weeks, by February 27. 'These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,' the cybersecurity agency warned.

While CISA's primary focus is on alerting federal agencies about vulnerabilities that need to be patched immediately, private organizations are also advised to prioritize patching these flaws to prevent ongoing attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.