The U.S. government warns users about the need to fix a major flaw in Microsoft Outlook.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a 2024 Outlook vulnerability to its catalog of known vulnerabilities, alerting users to its exploitation in real-world environments. The agency has set a three-week deadline, until February 27, for federal entities to patch the vulnerability or discontinue the use of the tool.

The vulnerability, identified as CVE-2024-21413, involves improper input validation affecting Microsoft Outlook. This issue, discovered in 2024 by researcher Haifei Li from Check Point, has been rated with a critical severity of 9.8/10. Cybercriminals can create emails with a specific type of hyperlink that allows them to execute code remotely. By exploiting this vulnerability, attackers can bypass Outlook’s Protected View, which is designed to open potentially harmful files in read-only mode, and open malicious files in editing mode.

Microsoft released a patch for this vulnerability at the end of 2024, warning users that the preview pane could also be an attack vector. This means that victims do not need to open the email to be infected; merely previewing it in Outlook could be sufficient.

The associated risk is significant. The vulnerability not only affects Outlook but has also been found in other Office products, such as Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019. Although there was no evidence of exploitation at the time the patch was released, the inclusion of this vulnerability in the catalog of known vulnerabilities indicates that it is being actively exploited by criminals.

In addition to the Outlook vulnerability, CISA has added four other vulnerabilities to the list, including one related to 7-Zip, one in the Dante discovery process, an SQL injection in CyberoamOS, and a buffer overflow in Sophos XG Firewall. Federal agencies must remediate all these vulnerabilities by March 2025.