CVE-2024-21378: Microsoft Outlook RCE Vulnerability

CVE-2024-21378 Overview

CVE-2024-21378 is a remote code execution vulnerability affecting Microsoft Outlook and related Microsoft Office products. The flaw allows an authenticated attacker to execute arbitrary code by abusing the synchronization of malicious Outlook form objects. Microsoft assigned this issue a CVSS 3.1 base score of 8.8 and the vulnerability is mapped to [CWE-94] Improper Control of Generation of Code. The vulnerability impacts Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Microsoft Office LTSC 2021, and Microsoft Outlook 2016. Although no public proof-of-concept is listed and the issue is not present on the CISA Known Exploited Vulnerabilities catalog, the EPSS score of 27.314% places it in the 96th percentile for likelihood of exploitation.

Critical Impact

An authenticated attacker on the network can achieve remote code execution against Outlook clients, compromising confidentiality, integrity, and availability of the targeted host.

Affected Products

• Microsoft 365 Apps for Enterprise
• Microsoft Office 2019 and Office LTSC 2021
• Microsoft Outlook 2016

Discovery Timeline

• 2024-02-13 - CVE-2024-21378 published to NVD as part of Microsoft's February 2024 Patch Tuesday
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-21378

Vulnerability Analysis

The vulnerability resides in how Microsoft Outlook processes custom form objects synchronized through a connected Exchange or messaging server. An attacker who possesses valid credentials for an Exchange mailbox can craft a malicious Outlook form and synchronize it to the victim's client. When Outlook loads the attacker-controlled form, it instantiates code embedded in the form's script or referenced library, leading to code execution in the context of the Outlook process.

The issue is classified under [CWE-94] Improper Control of Generation of Code (Code Injection). Exploitation does not require user interaction beyond the normal operation of Outlook synchronizing with the mailbox, which makes it suitable for lateral movement once an attacker has obtained mailbox credentials.

Root Cause

The root cause is insufficient validation of form objects and their associated message classes during synchronization. Outlook trusts the form definition pushed from the server-side mailbox and loads referenced executable content without restricting it to safe components. This permits an attacker-controlled form to direct Outlook to load arbitrary code at runtime.

Attack Vector

The attack vector is network-based. An attacker authenticates to a target user's mailbox, deploys a malicious custom form to that mailbox, and triggers Outlook to process it. Successful exploitation grants code execution under the privileges of the Outlook user, providing a foothold for credential theft, persistence, or lateral movement across the Microsoft 365 environment.

No verified public exploit code is available. Technical details are described in the Microsoft Security Update for CVE-2024-21378.

Detection Methods for CVE-2024-21378

Indicators of Compromise

• Unexpected creation or modification of custom Outlook forms (IPM.Note.* message classes) in user mailboxes.
• outlook.exe spawning unusual child processes such as cmd.exe, powershell.exe, rundll32.exe, or regsvr32.exe.
• Outbound network connections initiated by outlook.exe to non-Microsoft infrastructure shortly after mailbox synchronization.
• Suspicious DLLs loaded from user-writable paths into the Outlook process.

Detection Strategies

• Hunt for process trees where outlook.exe is the parent of script interpreters or LOLBins.
• Inspect Exchange and Microsoft 365 audit logs for Add-MailboxFolderPermission, form publishing events, and unusual MAPI form modifications.
• Apply behavioral identification rules that flag code execution originating from Office processes after mailbox synchronization.

Monitoring Recommendations

• Centralize Outlook, Exchange, and endpoint telemetry in a SIEM or data lake for correlation across mailbox events and host activity.
• Alert on the creation of .cfg form configuration files or new entries under HKCU\Software\Microsoft\Office\<version>\Outlook\Forms.
• Monitor for repeated authentication failures or anomalous logons to Exchange mailboxes that may precede form publication.

How to Mitigate CVE-2024-21378

Immediate Actions Required

• Apply the February 2024 Microsoft security updates to all affected Microsoft 365 Apps, Office 2019, Office LTSC 2021, and Outlook 2016 installations.
• Audit Exchange mailboxes for unauthorized custom forms and remove any that are not explicitly required.
• Reset credentials for accounts suspected of exposure and enforce multi-factor authentication on all mailbox accounts.

Patch Information

Microsoft released fixes addressing CVE-2024-21378 in its February 2024 Patch Tuesday cycle. Refer to the Microsoft Security Update Guide entry for CVE-2024-21378 for the specific KB articles and minimum patched build numbers per product channel.

Workarounds

• Block the publication of custom Outlook forms by setting the DisableCustomForms policy where business processes allow.
• Restrict mailbox access by enforcing strong authentication and conditional access policies that limit risky sign-ins.
• Remove or disable legacy form libraries and review organizational forms libraries for unused or unsigned content.

# Disable custom Outlook forms via Group Policy registry setting
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Outlook\Security" /v DisableCustomForms /t REG_DWORD /d 1 /f