- Cisa adds an Outlook entry validation bug in Kev
- The deadline for the patch is February 27, 2025
- Criminals use it for the execution of the remote code
The American Cybersecurity and Infrastructure Safety Agency (CISA) added a flaw of perspective in 2024 in its catalog of known vulnerabilities, warning users of abuses in the holidays and giving the federal agencies for three weeks (up to As of February 27) to repair or stop using use the tool entirely.
CVE-2024-21413 is an incorrect input validation defect that afflicted Microsoft Outlook. It was discovered in 2024 by Check Point’s researcher, Haifei Li, and received a 9.8 / 10 (critical) gravity score. Cybercriminals could develop special emails, responsible for a certain type of hyperlink, which would allow them to execute arbitrary code remotely. By exploiting this vulnerability, attackers can bypass Outlook’s protected view (a feature designed to open potentially harmful files in reading mode alone) and open malware in publishing mode.
Microsoft corrected the bug at the end of 2024 and warned users that the preview pane can also be used as a attack vector. In other words, the victims do not even need to open the email to be infected – preview it in Outlook would suffice.
Significant risk
The vulnerability has been found in various desktop products, including Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016 and Microsoft Office 2019.
Although there is no evidence of integrated abuse when the patch has been released, its addition to Kev means that vulnerability is now actively used by disbelievers.
“These types of vulnerabilities are frequent attack vectors for malicious cyber-actors and present significant risks for the federal enterprise,” said Cisa.
In addition to the Outlook vulnerability, the agency has added four other bugs, including a brand at 7 zip from the web bypass, a defect in controlling the Dante discovery process, a lack of cyberoamsos SQL injection and an overflow bug Sophos XG firewall buffer. Federal agencies must correct all of this before March 2025.
