RCE vulnerability in Outlook leads to remote code execution
The vulnerability discovered by Check Point has been designated CVE-2024-21413. It is activated when emails with malicious links are opened in vulnerable versions of Outlook. The vulnerability affects several Office products, including Microsoft Office LTSC 2021, Microsoft 365 for enterprise, as well as Microsoft Outlook 2016 and Microsoft Office 2019.
The vulnerability allows bypassing Outlook’s built-in protections for malicious links embedded in emails using a protocol file://contacting the attackers’ remote server through it
Adding an exclamation mark immediately after expanding a document allows you to bypass Outlook security restrictions. In this case, when you click on the link, the program will access the remote resource and open the target file without displaying any warnings or errors.
The vulnerability allows a remote attacker to obtain a user’s NTLM hash, execute arbitrary code via maliciously crafted Office documents, etc.
PoC published on Github.