Morphisec has issued a warning about a critical remote code execution (RCE) vulnerability (CVE-2024-30103) in Microsoft Outlook, addressed in the June 2024 Patch Tuesday updates. The flaw, with a CVSS score of 8.8, allows attackers to bypass Outlook registry block lists and create malicious DLL files without user interaction. The attack vector includes the Outlook Preview Pane, and exploitation is possible over a network, affecting Outlook 2016, Office LTSC 2021, 365 Apps for Enterprise, and Office 2019. Although Microsoft classifies the vulnerability as ‘important’, Morphisec deems it ‘critical’ due to its potential for widespread exploitation. The vulnerability can execute when an affected email is opened, posing a high risk for accounts with auto-open email features. Exploitation can lead to data exfiltration, unauthorized system access, and full system compromise. Morphisec plans to release technical details and a proof-of-concept exploit at DEF CON this summer. Users are strongly advised to update their Outlook clients promptly, as similar zero-click exploits have been used in previous attacks.

Read more: https://www.securityweek.com/microsoft-patches-zero-click-outlook-vulnerability-that-could-soon-be-exploited/