Advisory February 20, 2024

Microsoft Office Outlook vulnerability

The Obrela TI Team

A Remote Code Execution vulnerability with CVE-2024-21413 has been discovered in Microsoft Office Outlook. The vulnerability has a Critical CVSS Base Score of 9.8 out of 10.


CVE-2024-21413, named MonikerLink, represents a significant remote code execution (RCE) flaw impacting Microsoft Outlook, a widely-used email client.

This vulnerability enables malicious actors to evade Outlook protections with harmful links within emails, potentially resulting in the theft of NTLM credentials.

It’s noteworthy that this flaw can be combined with other Office vulnerabilities to achieve remote code execution. The Outlook Preview Pane serves as the avenue for exploitation when an attacker sends a maliciously crafted link. By exploiting this flaw, the attacker can bypass the Office Protected View and open documents in editing mode instead of protected mode, exposing local NTLM credentials and enabling RCE. Successful exploitation grants attackers elevated privileges, including read, write, and delete capabilities.

Affected Versions:

CVE-2024-21413 affects multiple Office products as seen below:

  • Microsoft Office 2019 (from version 19.0.0)
  • Microsoft 365 Apps for Enterprise (from version 16.0.1)
  • Microsoft Office LTSC 2021 (from version 16.0.1)
  • Microsoft Office 2016 (before version 16.0.5435.1000)


To mitigate this critical vulnerability, Office 2016 users should promptly apply relevant security updates.

The updates, applicable to both 32-bit and 64-bit editions, include: 5002537, 5002467, 5002522, 5002469, and 5002519 (all with build number 16.0.5435.1001).

As of now, for the rest of the affected products and versions there hasn’t been a downloadable updated version yet. Ιt is advisable to update any office/outlook product to the latest version, as attackers can discover ways to exploit a certain vulnerability in more versions in the following days.



cyber shield, security