CVE-2024-20673: Microsoft Excel RCE Vulnerability

CVE-2024-20673 Overview

CVE-2024-20673 is a remote code execution vulnerability affecting multiple Microsoft Office applications, including Word, Excel, PowerPoint, Publisher, Visio, and Skype for Business. The flaw requires user interaction and allows attackers to execute arbitrary code in the context of the current user when a malicious document is opened. Microsoft assigned the issue a CVSS 3.1 score of 7.8 and classified it under [CWE-693] Protection Mechanism Failure.

Critical Impact

Successful exploitation grants attackers full code execution within the victim's Office process, enabling credential theft, lateral movement, and ransomware deployment.

Affected Products

• Microsoft Office 2016, 2019, and 2021 LTSC
• Microsoft Word, Excel, PowerPoint, Publisher, and Visio 2016
• Microsoft Skype for Business 2016

Discovery Timeline

• 2024-02-13 - CVE-2024-20673 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-20673

Vulnerability Analysis

The vulnerability resides in the Office document parsing logic shared across the affected applications. A crafted document bypasses a built-in protection mechanism, which Microsoft tracks under [CWE-693]. When the user opens the file, the bypassed safeguard permits attacker-controlled logic to run within the Office process. Code executes with the privileges of the current user, which on most workstations includes access to local files, network shares, and authenticated cloud sessions.

The attack vector is classified as Local because the victim must open the malicious document, yet delivery typically occurs through email attachments, phishing links, or compromised file shares. The EPSS model places exploitation probability at 0.408 percent at the 61st percentile, indicating moderate likelihood relative to other CVEs.

Root Cause

Microsoft attributes the issue to a protection mechanism failure within the Office handling of embedded content. The safeguard that normally blocks untrusted content from executing fails to validate input under specific document conditions. Microsoft has not published the precise component or function affected in public advisories.

Attack Vector

An attacker crafts a malicious Office document and delivers it to the target through email, web download, or shared storage. When the user opens the file and any required preview or activation occurs, the embedded payload executes. Confidentiality, integrity, and availability impacts are all rated High because the resulting code runs without additional sandbox constraints.

No verified public proof-of-concept code is available. Refer to the Microsoft Security Update Guide for vendor-supplied technical context.

Detection Methods for CVE-2024-20673

Indicators of Compromise

• Office processes (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSPUB.EXE, VISIO.EXE) spawning unexpected child processes such as cmd.exe, powershell.exe, mshta.exe, or rundll32.exe.
• Outbound network connections initiated directly by Office applications to previously unseen hosts shortly after document open events.
• Unusual file writes by Office processes to %TEMP%, %APPDATA%, or startup locations.

Detection Strategies

• Hunt for parent-child process anomalies where Office binaries launch script interpreters or LOLBins.
• Inspect inbound email and file-share traffic for Office documents containing embedded objects, OLE links, or obfuscated macros.
• Correlate Office crash telemetry with subsequent persistence or credential access activity on the same host.

Monitoring Recommendations

• Enable Microsoft Defender Attack Surface Reduction rules that block Office child process creation and Win32 API calls from macros.
• Forward Sysmon process creation, image load, and network events from endpoints running Microsoft Office to a centralized analytics platform.
• Alert on Mark-of-the-Web bypass patterns, including Office files opened from archives or network shares without the protected view banner.

How to Mitigate CVE-2024-20673

Immediate Actions Required

• Apply the February 2024 Microsoft security updates referenced in the Microsoft Security Update Guide to all affected Office installations.
• Inventory endpoints running Office 2016, 2019, and 2021 LTSC, plus Skype for Business 2016, and prioritize patching for users handling external documents.
• Restrict execution of untrusted Office documents through Protected View and block macros from internet-sourced files via Group Policy.

Patch Information

Microsoft released patches for all affected products on the February 2024 Patch Tuesday. Administrators using Click-to-Run can deploy fixes through the Office update channel, while MSI-based deployments require the monthly security update package. Validate patch installation by confirming updated build numbers reported in File > Account > About for each Office application.

Workarounds

• Enforce Protected View for documents originating from the internet, email attachments, and unsafe locations.
• Disable OLE object activation in Office documents through the Trust Center where business workflows allow.
• Deliver targeted user training that reinforces caution around unsolicited Office attachments and disabled-by-default content prompts.

# Configuration example: enforce Protected View via registry on Windows clients
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableAttachmentsInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableUnsafeLocationsInPV /t REG_DWORD /d 0 /f