CVE-2024-30101: Microsoft Office Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.5)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2024-Jun

Released

2024-06-11

EPSS Score

1.14% (percentile: 78.4%)

FAQ

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Successful exploitation of this vulnerability requires a user to open a malicious email with an affected version of Microsoft Outlook and then perform specific actions to trigger the vulnerability. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. Is the Preview Pane an attack vector for this vulnerability? Yes. The Preview Pane is an attack vector, but additional user interaction is required.

Affected Products (8)

Microsoft Office

• Microsoft 365 Apps for Enterprise for 32-bit Systems
• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft Office 2019 for 32-bit editions
• Microsoft Office 2019 for 64-bit editions
• Microsoft Office LTSC 2021 for 64-bit editions
• Microsoft Office LTSC 2021 for 32-bit editions
• Microsoft Office 2016 (32-bit edition)
• Microsoft Office 2016 (64-bit edition)

Security Updates (4)

• 5002591
• 5002575
• 5002591
• 5002575

Acknowledgments

849db8e253fb723f1bb056416bce0922

Revision History

• 2024-06-11: Information published.