CVE-2024-21413
📋 TL;DR
CVE-2024-21413 is a critical remote code execution vulnerability in Microsoft Outlook that allows attackers to execute arbitrary code by tricking users into opening malicious emails. The vulnerability exploits the MonikerLink feature to bypass security protections. All users of affected Outlook versions are at risk.
💻 Affected Systems
- Microsoft Outlook
📦 What is this software?
365 Apps by Microsoft
Office 2016 by Microsoft
Office 2016 by Microsoft
Office 2019 by Microsoft
Office 2019 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the victim's computer, data theft, ransomware deployment, and lateral movement within the network.
Likely Case
Malware installation leading to credential theft, data exfiltration, and persistence mechanisms being established on compromised systems.
If Mitigated
Limited impact with proper email filtering, endpoint protection, and user awareness preventing successful exploitation.
🎯 Exploit Status
Exploitation requires user interaction (opening or previewing malicious email). Multiple security vendors have published detection scripts and analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: February 2024 security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413
Restart Required: Yes
Instructions:
1. Apply Microsoft's February 2024 security updates via Windows Update. 2. For enterprise environments, deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Verify Outlook is updated to the latest version.
🔧 Temporary Workarounds
Disable MonikerLink feature via registry
windowsDisables the vulnerable MonikerLink feature in Outlook to prevent exploitation
reg add "HKCU\Software\Microsoft\Office\16.0\Outlook\Security" /v "EnableMonikerLink" /t REG_DWORD /d 0 /f
Block external HTML content
windowsConfigure Outlook to block external HTML content which can prevent the exploit
🧯 If You Can't Patch
- Implement strict email filtering to block emails with suspicious links and attachments
- Disable Outlook Preview Pane feature for all users
🔍 How to Verify
Check if Vulnerable:
Check Outlook version and compare against patched versions. Unpatched versions before February 2024 updates are vulnerable.Check Version:
In Outlook: File > Office Account > About OutlookVerify Fix Applied:
Verify Outlook has February 2024 security updates installed and version is updated. Check registry key EnableMonikerLink is set to 0 if using workaround.📡 Detection & Monitoring
Log Indicators:
- Outlook crash logs, suspicious process creation from Outlook.exe, unusual network connections from Outlook
Network Indicators:
- Outbound connections to suspicious domains from Outlook process, unusual SMB or HTTP traffic patterns
SIEM Query:
Process Creation where Parent Process contains "OUTLOOK.EXE" AND Command Line contains suspicious patterns🔗 References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413
- https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/
- https://www.vicarius.io/vsociety/posts/cve-2024-21413-critical-monikerlink-vulnerability-affecting-microsoft-outlook-detection-script
- https://www.vicarius.io/vsociety/posts/cve-2024-21413-critical-monikerlink-vulnerability-affecting-microsoft-outlook-mitigation-script
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21413
