A proof-of-concept (PoC) exploit for CVE-2024-21413, a critical remote code execution (RCE) flaw in Microsoft Outlook dubbed “MonikerLink,” has been released publicly on GitHub, enabling researchers to test the vulnerability in controlled lab environments.
This zero-click issue, with a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A: H), allows attackers to bypass Outlook’s Protected View via malicious hyperlinks in emails, potentially leaking NTLM hashes and enabling RCE when chained with other exploits.
Listed in CISA’s Known Exploited Vulnerabilities catalog, the flaw affects multiple Outlook versions, including Office LTSC 2021, 2019, and 2016, as well as Microsoft 365 Apps, with patches available since the February 2024 Patch Tuesday.
The MonikerLink vulnerability exploits Outlook’s mishandling of specific Uniform Resource Identifiers (URIs) like “file://” in email hyperlinks, tricking the preview pane into opening documents in editable mode without triggering Protected View safeguards.
Attackers craft emails that embed these links, which coerce Outlook to connect to an attacker-controlled SMB server upon preview, dumping local NTLM credentials over the network often captured using tools like Responder or Impacket.
In the PoC by researcher mmathivanan17, a Python script automates this via hMailServer: it sends a malicious email to a victim’s inbox, where clicking or previewing the link initiates the SMB relay attack.
For full RCE, attackers chain this with vulnerabilities such as CVE-2021-40444 or similar Office flaws, executing payloads after the NTLM relay.
The provided lab OVA simulates a victim machine running Outlook and hMailServer, requiring edits to the hosts file (e.g., IP monikerlink.thm) and credential setup (attacker: attacker).
A more advanced PoC by Xaitax demonstrates end-to-end exploitation, highlighting the flaw’s severity in real-world phishing campaigns.
| CVE ID | CVSS Score | Attack Vector | Affected Products | Patch Status |
|---|---|---|---|---|
| CVE-2024-21413 | 9.8 (Critical) | Network | Outlook in Office 2016/2019/2021, M365 Apps | Patched Feb 2024 |
Detection relies on monitoring for anomalous SMB traffic from Outlook processes or “file://” elements in emails; a Yara rule by Florian Roth scans for these indicators in email artifacts.
Organizations should enforce outbound SMB blocking (TCP 445) to external IPs, deploy Microsoft patches immediately, and use enhanced email filtering to strip suspicious links.
High EPSS scores (93.94%) signal ongoing exploitation risk into 2025, urging inventory scans for unpatched endpoints.
Test the PoC ethically via TryHackMe’s MonikerLink room, but avoid production use to prevent unintended compromises. Prompt patching remains the most vigorous defense against this persistent threat.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…