Security researchers from Morphisec recently discovered a serious security hole in Outlook. Called CVE-2024-38021, this is a zero-click remote code execution (RCE) vulnerability that can allow unauthorized access to your system without a single click.
The issue apparently affects most Microsoft Outlook applications and doesn’t require any user authentication. In the worst-case scenario, CVE-2024-38021 can lead to potential data leaks, unauthorized access, execution of malicious code, and other dangers.
Related: Is Windows 11’s built-in antivirus enough for normal users?
The lack of user authentication makes this vulnerability particularly dangerous and a high priority to address. Microsoft itself initially categorized this vulnerability as “high” risk, but assumed that the vulnerability could only be exploited in certain cases.
But according to the security researchers, it’s recommended that this vulnerability should be considered “critical” and that it should be assumed that it’s already being actively exploited.
CVE-2024-38021 was first discovered at the end of April and reported by Morphisec. Confirmation from Microsoft followed a day later. But it took until July 9 for Microsoft to finally roll out a security patch, which was made available as part of the Tuesday updates.
What you need to do now
Since the assumption is that attackers are already exploiting this security hole, you should act quickly.
Make absolutely sure that all Microsoft Outlook and Office applications on your systems are updated with the latest patches as soon as they’re available to you. Don’t put this off and risk forgetting about it.
It also makes sense to add additional security measures to your Outlook account, especially if you use it for business. It’s best to set up authentication and deactivate automatic email previews if possible.
Related: Microsoft Outlook update makes it easier to squash spam
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.
