Attacker Tunes in Outlook: Chain Vulnerability Leads to Zero-Click RCE


Akamai security experts are disclosing information about various workarounds for patches that Microsoft published earlier this year to address a zero-click remote code execution vulnerability in Outlook.

After being used in the wild for over a year by a Russian state-sponsored threat actor, Microsoft corrected the original flaw, identified as CVE-2023-23397, in March 2023.

By sending an email reminder with a sound notification given as a route, an unauthenticated attacker may take advantage of this vulnerability and force the Outlook client to connect to the attacker’s server, which would cause the Net-NTLMv2 hash to be delivered to the server.

Read More: Outlook Plays Attacker Tunes: Vulnerability Chain Leading to Zero-Click RCE

For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.