EXCLUSIVE WEBINAR: Microsoft Outlook Chaos Unleashed — Live Technical Analysis of new Vulnerabilities
arrow-white arrow-white Secure your spot

CVE-2024-38021: Moniker RCE Vulnerability Uncovered in Microsoft Outlook

Posted by Michael Gorelik on July 9, 2024
Find me on:

Morphisec researchers have identified a significant vulnerability, CVE-2024-38021 — a zero-click remote code execution (RCE) vulnerability that impacts most Microsoft Outlook applications.  

Outlook Moniker Parsing VulnerabilityUnlike the previously discovered vulnerability CVE-2024-30103 disclosed in June —which required authentication (at least an NTLM token)— this new vulnerability does not require any authentication. 


CVE-2024-38021 Vulnerability Details and Technical Impact

If exploited, CVE-2024-38021 can lead to potential data breaches, unauthorized access, and other malicious activities. 

Microsoft has assessed this vulnerability with an "Important" severity rating. Their assessment differentiates between trusted and untrusted senders, noting that while the vulnerability is zero-click for trusted senders, it requires one click user interaction for untrusted senders. 

Given the broader implications of this vulnerability, particularly its zero-click vector for trusted senders and its potential for much wider spread impact, we have requested Microsoft to reassess the severity and label it as "Critical." This reassessment is crucial to reflect the true risk and ensure adequate attention and resources are allocated for mitigation. The complexity for this RCE is higher than CVE-2024-30103, reducing the likelihood of short-term exploitation. However, the chaining of this vulnerability with another could potentially simplify the attack process. 


Timeline of Events

April 21, 2024: The vulnerability was initially reported to Microsoft by Morphisec researchers as part of responsible disclosure policy.  

April 26, 2024: The vulnerability was confirmed.  

July 9, 2024: Microsoft included a patch for CVE-2024-38021 as part of its Patch Tuesday updates.  

We commend Microsoft for addressing this vulnerability relatively quickly, especially considering its problematic nature and the complexity of the previous patch. 


Exploitation Risk 

Given its zero-click nature (for trusted senders) and lack of authentication requirements, CVE-2024-38021 poses a severe risk. Attackers could exploit this vulnerability to gain unauthorized access, execute arbitrary code, and cause substantial damage without any user interaction. The absence of authentication requirements makes it particularly dangerous, as it opens the door to widespread exploitation. 


Patch Release and Urgent Call to Action 

Patch Deployment: Ensure that all Microsoft Outlook and Office applications are updated with the latest patches as soon as they are available. 

Email Security: Implement robust email security measures, including disabling automatic email previews if possible. 

User Awareness: Educate users about the risks associated with opening emails from unknown or suspicious sources. 

Ensuring optimal and comprehensive coverage across the security stack with EDR and Automated Moving Target Defense (AMTD) reduces further risk and will offer endpoint assurance against known and unknown attacks. 

New call-to-action

Research and Discovery Process 

Morphisec’s research involved extensive fuzzing and reverse engineering of Microsoft Outlook's codebase to identify the specific conditions that led to the discovery of this Microsoft Outlook vulnerability. The findings were then thoroughly documented and reported to Microsoft (as per responsible disclosure process), ensuring a collaborative approach to addressing the issue. 


Upcoming Technical Details and Proof of Concept 

 Morphisec will be releasing the technical details and POC for CVE-2024-30103 and CVE-2024-38021 at the DEF CON 32 conference in Las Vegas. This will be part of the presentation "Outlook Unleashing RCE Chaos: CVE-2024-30103 & 2024-38021" with Michael Gorelik and Arnold Osipov as presenters. 

Following DEF CON 32, the Morphisec Threat Labs team will be presenting their technical findings in a live virtual threat briefing on August 15th at 1pm ET. Join to hear directly from those that discovered these vulnerabilities, learn more about the vulnerabilities, and ask questions live. Register now to save your spot. 

Register for the Live Technical Analysis


How Morphisec can Help 

At Morphisec, we utilize Automated Moving Target Defense (AMTD) techniques to significantly reduce the risk of exploitation from vulnerabilities like CVE-2024-38021. By continuously and dynamically altering the attack surface, Morphisec AMTD creates a highly challenging environment for potential attackers. This innovative and preventative approach strengthens the protection of our clients against a broad spectrum of sophisticated cyber threats. 

Additionally, Morphisec’s AMTD technology acts as a virtual patch and compensating control for unpatched vulnerabilities. It proactively thwarts attacks on unpatched operating systems and application vulnerabilities by disrupting attack pathways, effectively dismantling an attacker’s framework.  

Experience Morphisec firsthand — schedule a demo today. 

 Get a Demo of Morphisec