- CISA adds an inadequate inadequate validation error to Kev
- The deadline for Patch is February 27, 2025
- Criminals are using it for the execution of remote code
The United States Cybersecurity and Infrastructure Security Agency (CISA) has added an outlook defect of 2024 to its catalog of known vulnerabilities, warning users about the abuse in the swimsuit and providing federal agencies for three weeks (until February 27) to patch or stop using the tool completely.
CVE-2024-21413 is an inappropriate entry validation failure that affects Microsoft Outlook. It was discovered in 2024 by Check Point researcher, Haifei Li, and received a gravity score of 9.8/10 (critic). Cybercriminals could create special email messages, loaded with a certain type of hyperlink, which would allow them to execute an arbitrary code remotely. When exploiting this vulnerability, attackers can avoid the protected view of outlook (a feature designed to open potentially harmful files in reading mode) and, instead, open malicious files in editing mode.
Microsoft poured the error at the end of 2024 and warned users that the preview panel can also be used as an attack vector. In other words, victims do not even need to open email to infect; The previous view in Outlook would be enough.
Significant risk
Vulnerability was found in different office products, including Microsoft Office LTSC 2021, Microsoft 365 apps for Enterprise, Microsoft Outlook 2016 and Microsoft Office 2019.
Although there was no evidence of abuse in the bank at the time the patch was released, its addition to Kev means that vulnerability is now being actively used by criminals.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks for the federal company,” says Cisa.
In addition to the vulnerability of Outlook, the agency added another four errors, including a 7 zip mark of the web derivation failure, a Dante discovery processes control failure, a cyberoams sql injection defect and an error of overflow error of overflow Firewall Buffer Sophos XG. Federal agencies must repair all this before March 2025.
