Skip to content
feed: live about
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2024-21413

Microsoft Outlook MonikerLink Remote Code Execution

A vulnerability in how Microsoft Outlook processes specially crafted hyperlinks (the "MonikerLink" flaw) allows an attacker to bypass Outlook's Protected View and trigger remote code execution simply by having a user click a malicious link in an email.

cat cve-2024-21413.json
Vendor
Microsoft
Product
Outlook (Microsoft 365 Apps, Office 2016–2021)
CVSS
9.8
Status
patched
Published

CVE-2024-21413, nicknamed “MonikerLink” by the researcher who reported it (Check Point Research), is a remote-code-execution vulnerability in Microsoft Outlook. By crafting a hyperlink using the file:// moniker syntax with a specific exclamation-mark suffix, an attacker could cause Outlook to bypass Protected View entirely — the sandboxing feature meant to neutralize risky content from untrusted documents — and open the file directly, leading to code execution and, in some configurations, NTLM credential leakage.

Microsoft patched the vulnerability as part of its February 2024 Patch Tuesday release. Unlike several other entries in this tracker, MonikerLink had not been confirmed as exploited in the wild at time of disclosure, but its low complexity (no special privileges, minimal user interaction beyond a single click) and the ubiquity of Outlook made it a high-priority patch for enterprises.

Why it mattered

Outlook is one of the most widely deployed email clients in the world, and a flaw that defeats Protected View with one click is exactly the kind of bug ransomware affiliates look for as an initial-access vector. Security teams treated this as a “patch immediately” item even absent confirmed in-the-wild exploitation, given how often Protected View bypasses get weaponized shortly after disclosure.

See Microsoft’s own MSRC advisory and the NVD record above for affected version ranges and patch guidance.