Recently, Morphisec security researchers discovered a dangerous security flaw in Outlook. Designated CVE-2024-38021, this zero-click remote code execution (RCE) vulnerability allows unauthorized system access without any user action.
This flaw affects most Microsoft Outlook applications and doesn’t need user authentication. In worst-case scenarios, CVE-2024-38021 can lead to data breaches, unauthorized access, execution of malicious software, and other significant threats.
Related: Is Windows 11’s built-in antivirus enough for normal users?
The lack of user authentication makes this vulnerability especially hazardous and a high-priority concern. Microsoft initially rated this vulnerability as “high” risk, assuming limited exploitation scenarios.
However, according to security researchers, this vulnerability should be considered “critical” and is likely already being exploited actively.
CVE-2024-38021 was first discovered by Morphisec at the end of April and confirmed by Microsoft the next day. Nonetheless, Microsoft only released a security patch on July 9 as part of their Tuesday updates.
Immediate Actions Required
Given the assumption that attackers are already exploiting this security flaw, swift action is crucial.
Ensure that all Microsoft Outlook and Office applications on your systems are promptly updated with the latest patches. Avoid delaying this update to prevent overlooking it.
It’s also wise to implement additional security measures for your Outlook account, especially if used for business. Enable two-factor authentication and disable automatic email previews if feasible.