Security researchers from Morphisec have identified a significant security vulnerability in Outlook. Known as CVE-2024-38021, this zero-click remote code execution (RCE) flaw can grant unauthorized access to your system without any user interaction.
This vulnerability affects most Microsoft Outlook applications and doesn’t require user authentication. In severe cases, CVE-2024-38021 can result in data leaks, unauthorized access, execution of malicious code, and other severe consequences.
Related: Is Windows 11’s built-in antivirus enough for normal users?
The absence of user authentication makes this flaw particularly dangerous and an urgent priority. Initially, Microsoft classified this vulnerability as “high” risk, assuming it could only be exploited under specific conditions.
However, security researchers recommend treating this vulnerability as “critical,” assuming it is already being actively exploited.
Morphisec first discovered CVE-2024-38021 at the end of April, and Microsoft confirmed it the following day. Despite this, Microsoft did not release a security patch until July 9, as part of the Tuesday updates.
What You Need to Do Now
Given the likelihood that this security hole is already being exploited, prompt action is essential.
Ensure all Microsoft Outlook and Office applications on your systems are updated with the latest patches immediately. Don’t delay and risk forgetting.
Additionally, consider adding extra security measures to your Outlook account, especially if used for business purposes. Set up two-factor authentication and disable automatic email previews if possible.