Microsoft Office 2016-2021 and 365 Apps for Enterprise - Remote Code Execution (RCE) via Microsoft Outlook Code Injection Vulnerability (CVE-2024-21413)

Context

Microsoft Office is a productivity software suite that includes essential applications and tools which are widely used for word processing, data analysis, presentations, and communication. Microsoft 365 Apps for Enterprise is a subscription-based version of Office tailored for businesses and organizations. It includes premium versions of Office applications, along with cloud services such as OneDrive for Business and Microsoft Teams. Microsoft Outlook is a an email client and personal information manager. It offers features for managing email communication, calendars, tasks, and contacts. Outlook integrates with Microsoft Exchange and Microsoft 365 for enterprise use.

Vulnerability Summary

The Microsoft Outlook application, available within the Microsoft Office suite of products, contains a critical code injection vulnerability. Outlook constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Technical Details

The vulnerability exists due to the behavior of the MkParseDisplayName() API within Microsoft Outlook. This API parses a string and converts it into a moniker that identifies the object named by the string. A moniker is an identifier which allows applications to access and manage objects, such as files or software components. In this case, the moniker file:/// allows access to files based on the location specified within the link. Adding an exclamation point (!) to the hyperlink changes the way in which it is processed and bypasses validation checks.

Impact If Exploited

The flaw allows attackers to bypass built-in Outlook protections for malicious links embedded in emails using the file:// protocol and adding an exclamation mark (!) to URLs pointing to attacker-controlled servers. Successful exploit of the vulnerability allows a remote unauthenticated attacker to potentially access local NTLM credential information, or perform remote code execution via connections to malicious remote resources.

Threat Landscape & Known Exploitation

Exploit code is readily available to attackers via sites including GitHub.

This vulnerability has been reported by the CISA (America's Cyber Defense Agency) under its 'KEV' (known exploited vulnerabilities') catalogue process to be known to be currently actively exploited in the wild as of 2025-02-06. It was dubbed the 'MonikerLink' bug by the security researchers responsible for disclosing it as part of white paper on the wider exploitation of Microsoft Outlook.

Microsoft is one of the most frequently targeted vendors by attackers due to its near-ubiquitous deployment across many organisations. CISA have previously published warnings of the earlier, active exploitation of over one hundred vulnerabilities in Microsoft products, including most recently CVE-2024-29059 in February 2025 together with CVE-2025-21335, CVE-2025-21334 and CVE-2025-21333 in January 2025.

Affected Product Versions

• Microsoft Office 2016 (64-bit edition) prior to release 16.0.5435.1001

• Microsoft Office 2016 (64-bit edition) prior to release 16.0.5435.1000

• Microsoft Office 2016 (32-bit edition) prior 16.0.5435.1001

• Microsoft Office 2016 (32-bit edition) prior 16.0.5435.1000

• Microsoft Office LTSC 2021 for 32-bit editions prior to security update (February 13, 2024)

• Microsoft Office LTSC 2021 for 64-bit editions prior to security update (February 13, 2024)

• Microsoft 365 Apps for Enterprise for 64-bit Systems prior to security update (February 13, 2024)

• Microsoft 365 Apps for Enterprise for 32-bit Systems prior to security update (February 13, 2024)

• Microsoft Office 2019 for 64-bit editions prior to security update (February 13, 2024)

• Microsoft Office 2019 for 32-bit editions prior to security update (February 13, 2024)

Indicators of Compromise (IoC)

(An Indicator of Compromise (IOC) is a piece of digital forensics that suggests that an endpoint or network may have been breached. These often include IP addresses involved in known exploitations. AppCheck provides this information both so that so customers can investigate potential breach, as well as take proactive actions such as blocking known malicious IPs or URIs in firewalls and application delivery controllers (IPs and URLs) or adding File Integrity Check rules (hashes)).

Microsoft has not published a list of indicators of compromise (IoC) at the time of writing.

Official Remediation Guidance

Microsoft released security fixes to address this vulnerability in their February 2024 Security Patch cycle and the patches are available in the February 2024 Cumulative Update. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system. Install the update, and refer to the advisory for any further configuration that may be required. Updates can be applied via one of the following methods:

• This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see Windows Update: FAQ.

• To get the standalone package for this update, go to the Microsoft Update Catalog website.

• You can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.

Due to ongoing active exploitation of this vulnerability, prioritisation should be given to the urgent remediation of vulnerable systems.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

Temporary Mitigation & Workarounds

Microsoft has not advised of any alternative temporary mitigation or workarounds at the time of writing.

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

Vendor Advisories

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413

Third-Party Analysis & Threat Intelligence

• https://www.vicarius.io/vsociety/posts/monikerlink-critical-vulnerability-in-ms-outlook-cve-2024-21413

• https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-microsoft-outlook-now-exploited-in-attacks/

• https://digital.nhs.uk/cyber-alerts/2024/cc-4453

• https://www.cisa.gov/news-events/alerts/2025/02/06/cisa-adds-five-known-exploited-vulnerabilities-catalog

• https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/]

Proof of Concept (PoC) and Exploit Code

• https://github.com/duy-31/CVE-2024-21413