Vulnerability

0-Click Outlook Vulnerability Triggered RCE When Email is Opened – Technical Analysis

Morphisec researchers have recently uncovered a critical vulnerability in Microsoft Outlook, identified as CVE-2024-30103. It can execute malicious code as soon as an email is opened.

We will explore the technical aspects of CVE-2024-30103, examining how this vulnerability can be exploited and assessing its potential impact on your systems.

This vulnerability presents a significant security threat, allowing remote code execution through maliciously injected Outlook Forms.

Technical Details of CVE-2024-30103

Earlier this year, Netspi discovered a related vulnerability, CVE-2024-21378, which exposed Outlook to authenticated remote code execution via synced form objects.

Morphisec researchers have built upon the findings of CVE-2024-21378 to identify CVE-2024-30103.

This vulnerability exploited a flaw in the allow-listing mechanism that failed to adequately validate form server properties, allowing for unauthorized instantiation of synchronized custom forms.

The vulnerability exploits a flaw in the allow-listing algorithm that fails to address specific character manipulations in registry paths.

Researchers demonstrated how the registry path could be manipulated to bypass security checks and trigger the instantiation of malicious form server executables by using special characters, such as backslashes.

The key to this exploit lies in handling registry keys by the Windows API function RegCreateKeyExA. This function removes trailing backslashes from key names, allowing the creation of nested keys. By exploiting this behavior, attackers can manipulate registry paths to point to malicious executables, which are automatically instantiated when a specially crafted email is opened in Outlook.

This function processes backslashes in a specific way: a trailing backslash in a registry key is removed, meaning “InprocServer32\” is treated as “InprocServer32.” This discrepancy can be exploited to bypass the exact matching algorithm, as the algorithm sees the two as different, but the registry treats them as the same.

The researchers found that this behavior could be used to load a malicious form server executable by placing it in the AppData local Forms folder. When a message with a specific message class is sent to a victim, it triggers the form server’s instantiation.

This method can load a malicious DLL within the Outlook process or leverage other COM properties like LocalServer32 to initiate external applications.

The vulnerability allows attackers to execute arbitrary code within the context of the Outlook application. Malicious code, such as a DLL file, can be loaded and executed, potentially leading to data breaches, unauthorized access, and other malicious activities.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

CVE-2024-30103 – Patch

In a recent security update, Microsoft has revised its allow listing matching algorithm to bolster system defenses. The update addresses a vulnerability by changing the way subkeys are matched.

Previously, the algorithm searched for substrings within subkeys, but now it strips trailing backslashes from the subkey before performing an exact match. This change aims to provide a more robust solution to potential security threats, although its long-term effectiveness remains to be seen.

Alongside this update, Microsoft has also made significant enhancements to its denylist. The updated denylist incorporates new techniques designed to prevent remote code execution attacks that could exploit subkey manipulation.

These improvements demonstrate Microsoft’s ongoing commitment to strengthening security measures and protecting users from emerging threats.

While the patch addresses the immediate vulnerability, the evolving nature of security threats means that organizations must remain vigilant. Regular updates and security audits are essential to protect against potential exploits. Users are advised to apply the latest security patches and follow best practices to safeguard their systems against such vulnerabilities.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

Raj Yasani

Rajashekar Yasani is a seasoned Cloud Security Engineer with extensive experience in cybersecurity research. As a security researcher, Rajashekar shares practical insights to help organizations enhance their security posture in an ever-evolving digital landscape.

Recent Posts

CISA Warns of Hackers Actively Exploiting Windows Server Update Services RCE Vulnerability in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations worldwide about active exploitation…

5 hours ago

New Malware Attack Using Variable Functions and Cookies to Evade and Hide Their Malicious Scripts

A sophisticated malware campaign targeting WordPress sites has emerged, utilizing PHP variable functions and cookie-based…

7 hours ago

Threat Actors Tricks Target Users Via Impersonation and Fictional Financial Aid Offers

An international ecosystem of sophisticated scam operations has emerged, targeting vulnerable populations through impersonation tactics…

8 hours ago

TransparentTribe Attack Linux-Based Systems of Indian Military Organizations to Deliver DeskRAT

TransparentTribe, a Pakistani-nexus intrusion set active since at least 2013, has intensified its cyber espionage…

10 hours ago

Jingle Thief Attackers Exploiting Festive Season with Weaponized Gift Card Attacks

As the festive season approaches, organizations are witnessing a disturbing increase in targeted attacks on…

12 hours ago

Warlock Ransomware Actors Exploiting Sharepoint ToolShell Zero-Day Vulnerability in New Attack Wave

The cybersecurity landscape experienced a significant shift in July 2025 when threat actors associated with…

13 hours ago