Critical zero-click Microsoft Outlook exploit unveiled: update now

Microsoft patched a critical remote code execution vulnerability on June 11th, which affected most Outlook email clients. Morphisec researchers warn that no input from users is required for attackers to execute code on their systems.

Morphisec Threat Labs researchers discovered the vulnerability (CVE-2024-30103) and initially reported it to Microsoft on April 3rd, 2024.

Attackers can exploit it to run arbitrary code on affected systems just by sending an email. To initiate the execution, the email has to be opened. However, this is a trivial task as Microsoft Outlook has an auto-open email feature.

“This Microsoft Outlook vulnerability can be circulated from user to user and doesn’t require a click to execute,” researchers said in the report. “This is notably dangerous.”

Researchers warn that attackers can easily execute this exploit. The initial compromise could lead to potential data breaches, unauthorized access, and other malicious activities, including a full system compromise.

“This lack of required user interaction, combined with the straightforward nature of the exploit, increases the likelihood that adversaries will leverage this vulnerability for initial access,” researchers said.

Morphisec “strongly urges” users to update Microsoft Outlook clients immediately to mitigate the risk. They commended Microsoft for addressing the vulnerability “relatively quickly,” given its problematic nature.

They also hinted that there’s an additional vulnerability that’s yet to be patched and will be unveiled at DEFCON 32 conference.