CVE-2024-38189 Overview
CVE-2024-38189 is a Remote Code Execution (RCE) vulnerability affecting Microsoft Project and related Microsoft Office products. This vulnerability allows attackers to execute arbitrary code on target systems when users open specially crafted Microsoft Project files. The vulnerability has been confirmed as actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.
Critical Impact
This vulnerability enables remote attackers to execute arbitrary code on affected systems through malicious Microsoft Project files, potentially leading to complete system compromise, data exfiltration, and lateral movement within corporate networks.
Affected Products
- Microsoft 365 Apps (Enterprise)
- Microsoft Office 2019 (x64 and x86)
- Microsoft Office Long Term Servicing Channel 2021 (x64 and x86)
- Microsoft Project 2016
Discovery Timeline
- August 13, 2024 - CVE-2024-38189 published to NVD
- October 28, 2025 - Last updated in NVD database
Technical Details for CVE-2024-38189
Vulnerability Analysis
This Remote Code Execution vulnerability in Microsoft Project stems from improper input validation (CWE-20) when processing Project files. The flaw allows attackers to craft malicious .mpp files that, when opened by a victim, can execute arbitrary code in the context of the current user.
The vulnerability requires user interaction—specifically, the victim must open a maliciously crafted Microsoft Project file. However, this is a common attack vector that threat actors exploit through phishing campaigns, compromised file shares, or supply chain attacks targeting project management workflows.
Given its presence on the CISA KEV list, this vulnerability has been actively weaponized by threat actors. Organizations using Microsoft Project for project management are at heightened risk, particularly those in industries where Project files are frequently exchanged between teams and external partners.
Root Cause
The vulnerability is rooted in improper input validation (CWE-20) within the Microsoft Project file parsing routines. When processing certain malformed or specially crafted elements within Project files, the application fails to properly validate input data, creating an opportunity for attackers to inject and execute malicious code.
Attack Vector
The attack requires network-based delivery of a malicious Microsoft Project file to the victim. Common delivery mechanisms include:
- Phishing emails with malicious .mpp attachments
- Compromised file sharing platforms or collaboration tools
- Malicious links leading to automatic file downloads
- Supply chain attacks through compromised project templates
Once the victim opens the malicious file, the exploit triggers without requiring elevated privileges. The code executes with the privileges of the current user, which in many enterprise environments may include access to sensitive resources, network shares, and additional systems.
The attack exploits improper input validation during file parsing, allowing specially crafted content within the Project file to trigger code execution. No additional user interaction beyond opening the file is required for successful exploitation.
Detection Methods for CVE-2024-38189
Indicators of Compromise
- Unexpected Microsoft Project processes spawning child processes (especially cmd.exe, powershell.exe, or scripting hosts)
- Anomalous network connections originating from WINPROJ.EXE process
- Creation of suspicious files or registry modifications following .mpp file access
- Unusual process behavior patterns from Microsoft Project application
Detection Strategies
- Monitor for Microsoft Project (WINPROJ.EXE) spawning unexpected child processes
- Implement email gateway rules to scan and quarantine suspicious .mpp attachments
- Deploy endpoint detection rules for anomalous Microsoft Office application behavior
- Enable Windows Defender Attack Surface Reduction (ASR) rules for Office applications
Monitoring Recommendations
- Configure SIEM alerts for process creation events where WINPROJ.EXE is the parent process
- Monitor file system activity for newly created executables following Project file access
- Track network connections from Microsoft Office applications to external destinations
- Review application crash reports for Microsoft Project that may indicate exploitation attempts
How to Mitigate CVE-2024-38189
Immediate Actions Required
- Apply Microsoft security updates immediately through Windows Update or WSUS
- Enable Microsoft Defender for Endpoint with cloud-delivered protection
- Implement Attack Surface Reduction (ASR) rules for Office applications
- Restrict execution of macros and embedded content in Office applications
- Block or quarantine incoming .mpp files from untrusted sources at the email gateway
Patch Information
Microsoft has released security updates to address CVE-2024-38189. Organizations should apply the latest security updates for all affected products as documented in the Microsoft Security Update Guide.
For enterprise environments, deploy patches through Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager (MECM), or your preferred patch management solution. Given the active exploitation status, this vulnerability should be prioritized for immediate remediation.
Workarounds
- Avoid opening Microsoft Project files from untrusted or unknown sources
- Enable Protected View for files originating from the internet or email attachments
- Consider temporarily blocking .mpp file attachments at the email gateway until patches are applied
- Implement application allowlisting to prevent unauthorized code execution
# Example: PowerShell script to check Microsoft Office update status
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" | Select-Object VersionToReport, UpdateChannel
# Verify current Office version and ensure updates are being applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
