CVE-2024-21413: Microsoft Outlook Remote Code Execution Vulnerability

Overview

Severity

Critical (CVSS 9.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2024-Feb

Released

2024-02-13

Last Updated

2024-02-14

EPSS Score

92.96% (percentile: 99.8%)

CISA KEV

Listed — due 2025-02-27

FAQ

What kind of security feature could be bypassed by successfully exploiting this vulnerability? Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode. According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H), and availability (A:H). What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could gain high privileges, which include read, write, and delete functionality. If I am running Office 2016 (32-bit edition) or Office 2016 (64-bit edition, what do I need to do to be protected from this vulnerability? To be protected, customers running Office 2016 need to install all the updates listed for their edition in the following tables. For Office 2016 (32-bit edition): Product Article Download Build Number Microsoft Office 2016 (32-bit edition) 5002537 Security Update 16.0.5435.1001 Microsoft Office 2016 (32-bit edition) 5002467 Security Update 16.0.5435.1001 Microsoft Office 2016 (32-bit edition) 5002522 Security Update 16.0.5435.1001 Microsoft Office 2016 (32-bit edition) 5002469 Security Update 16.0.5435.1001 Microsoft Office 2016 (32-bit edition) 5002519 Security Update 16.0.5435.1001 For Office 2016 (64-bit edition): Product Article Download Build Number Microsoft Office 2016 (64-bit edition) 5002537 Security Update 16.0.5435.1001 Microsoft Office 2016 (64-bit edition) 5002467 Security Update 16.0.5435.1001 Microsoft Office 2016 (64-bit edition) 5002522 Security Update 16.0.5435.1001 Microsoft Office 2016 (64-bit edition) 5002469 Security Update 16.0.5435.1001 Microsoft Office 2016 (64-bit edition) 5002519 Security Update 16.0.5435.1001 Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. How could the attacker exploit this vulnerability? An attacker

Known Exploits (22)

• Microsoft Outlook Improper Input Validation Vulnerability — added 2026-04-05T02:21:55Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2026-01-25T16:34:54Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2025-11-30T08:22:06Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2025-11-20T03:47:53Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2025-11-06T16:42:03Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2025-09-23T01:28:42Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2025-05-11T01:55:39Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2025-03-25T22:49:05Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2024-12-04T10:26:37Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2024-08-31T13:18:43Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2024-06-28T10:27:34Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2024-06-18T08:11:33Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2024-05-11T12:28:22Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2024-05-03T16:09:54Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2024-02-29T10:07:34Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2024-02-23T12:13:11Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2024-02-20T12:41:15Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2024-02-19T01:37:15Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2024-02-17T14:52:52Z
• Microsoft Outlook Improper Input Validation Vulnerability — added 2024-02-16T21:10:31Z

Detection & Weaponization (2 sources)

Maturity: Detection

• YARA rules: expl_outlook_cve_2024_21413.yar, SIGNATURE_BASE_EXPL_CVE_2024_21413_Microsoft_Outlook_RCE_Feb24
• GitHub PoC: 31 repositories

Affected Products (8)

Microsoft Office

• Microsoft Office 2019 for 32-bit editions
• Microsoft Office 2019 for 64-bit editions
• Microsoft 365 Apps for Enterprise for 32-bit Systems
• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft Office LTSC 2021 for 64-bit editions
• Microsoft Office LTSC 2021 for 32-bit editions
• Microsoft Office 2016 (32-bit edition)
• Microsoft Office 2016 (64-bit edition)

Security Updates (8)

• 5002537
• 5002467
• 5002522
• 5002519
• 5002537
• 5002467
• 5002522
• 5002519

Acknowledgments

Haifei Li of Check Point Research (https://research.checkpoint.com/)

Revision History

• 2024-02-13: Information published.
• 2024-02-14: Updated the Exploited flag and Exploitability Assessment to indicate that Microsoft was aware of exploitation of this vulnerability. This is an informational change only.
• 2024-02-14: Mistakenly updated exploited flag and exploitability assessment to indicate exploitation existed. Reverting values to no. This is an informational change only.