US government warns users to patch this critical Microsoft Outlook bug

News
By
published

A critical Outlook flaw is being actively exploited

A phone sitting on a laptop keyboard with the Microsoft Outlook logo on the screen.
(Image credit: Shutterstock / JarTee)
  • CISA adds an Outlook improper input validation bug to KEV
  • The deadline to patch is February 27 2025
  • Criminals are using it for remote code execution

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a 2024 Outlook flaw to its catalog of known vulnerabilities, warning users about in-the-wild abuse, and giving federal agencies three weeks (until February 27) to patch up or stop using the tool entirely.

CVE-2024-21413 is an improper input validation flaw plaguing Microsoft Outlook. It was discovered in 2024 by Check Point’s researcher Haifei Li, and was given a severity score of 9.8/10 (critical). Cybercriminals could craft special email messages, loaded with a certain type of hyperlink, that would allow them to run arbitrary code remotely. By exploiting this vulnerability, attackers can bypass Outlook's Protected View (a feature designed to open potentially harmful files in read-only mode) and instead open malicious files in editing mode.

Microsoft patched the bug in late 2024, and warned users that the Preview Pane can also be used as an attack vector. In other words, victims don’t even need to open the email to get infected - previewing it in Outlook would suffice.

Significant risk

The vulnerability was found in different Office products, including Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019.

While there was no evidence of in-the-wild abuse at the time the patch was released, its addition to KEV means the vulnerability is now being actively used by miscreants.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA says.

Aside from the Outlook vulnerability, the agency added another four bugs, including a 7-Zip Mark of the Web bypass flaw, a Dante discovery process control flaw, a CyberoamsOS SQL injection flaw, and a Sophos XG Firewall buffer overflow bug. Federal agencies need to patch all of these before March 2025.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Outlook
Dangerous Microsoft Outlook flaw could let hackers send out malware via email
malware
US government warns federal agencies to patch dangerous Windows kernel bug
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
CISA tells agencies to patch BeyondTrust bug now
Representational image depecting cybersecurity protection
CISA says Oracle and Mitel have critical security flaws being exploited
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
Latest in Security
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
botnet
YouTubers targeted by blackmail campaign to promote malware on their channels
A close-up of a phone screen showing the Telegram, Signal and WhatsApp apps
Agentic AI has “profound” issues with security and privacy, Signal President says
botnet
Another top security camera maker is seeing devices hijacked into botnet
Bluetooth
Top Bluetooth chip security flaw could put a billion devices at risk worldwide
Latest in News
Lego Mario Kart – Mario & Standard Kart set on a shelf.
Lego just celebrated Mario Day in the best way possible, with an incredible Mario Kart set that's up for preorder now
TCL QM7K TV on orange background
TCL’s big, bright new mid-range mini-LED TVs have built-in Bang & Olufsen sound
Homepage of Manus, a new Chinese artificial intelligence agent capable of handling complex, real-world tasks, is seen on the screen of an iPhone.
Manus AI may be the new DeepSeek, but initial users report problems
Google Maps
Nightmare Google Maps glitch is deleting timelines, and there isn't a fix yet
Twitter social media application change logo to X. Elon Musk CEO of twitter rebranded Twitter to 'X'. Social media application technology concept.
X is down again – Elon Musk confirms 'massive cyberattack' as former Twitter site hit by fourth outage today
Joe Goldberg and Kate Lockwood sitting at a table and looking at the camera in You season 5.
Netflix releases a killer new trailer for You season 5 but my favorite character is missing from Joe's final chapter
More about security
botnet

YouTubers targeted by blackmail campaign to promote malware on their channels
A hacker wearing a hoodie sitting at a computer, his face hidden.

Experts warn this critical PHP vulnerability could be set to become a global problem
Lego Mario Kart – Mario & Standard Kart set on a shelf.

Lego just celebrated Mario Day in the best way possible, with an incredible Mario Kart set that's up for preorder now
See more latest
Most Popular
Lego Mario Kart – Mario & Standard Kart set on a shelf.
Lego just celebrated Mario Day in the best way possible, with an incredible Mario Kart set that's up for preorder now
Tesla Model 3
Tesla's EV sales are plummeting – as used Model Y and Model 3 prices crash to bargain levels
TCL QM7K TV on orange background
TCL’s big, bright new mid-range mini-LED TVs have built-in Bang & Olufsen sound
A computer screen showing a spreadsheet in use.
This entire nation's public health department was found to be running on a single Excel spreadsheet
Person using Dyson V8 vacuum
Dyson vacuums have one big problem and I don't understand why
Glowing server racks inside a data center.
The dirty little secret about AI hardware that you should know about: server vendors have to wrestle with wafer thin margins and bigger customers
Joe Goldberg and Kate Lockwood sitting at a table and looking at the camera in You season 5.
Netflix releases a killer new trailer for You season 5 but my favorite character is missing from Joe's final chapter
Google Maps
Nightmare Google Maps glitch is deleting timelines, and there isn't a fix yet
botnet
YouTubers targeted by blackmail campaign to promote malware on their channels
A laptop on a desk with the Windows 11 background on its screen.
Microsoft is adding image editing and compression to its Windows Share feature - and I couldn't be happier