CVE-2024-38189

Microsoft Project Remote Code Execution Vulnerability

CVSS 8.8 HIGHEPSS 7.9%● KEVCWE-20

Vexday Risk Score

51Attention

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 8.8EPSS 7.9%KEV simPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

13 Aug 2024Active exploitation (CISA KEV)

13 Aug 2024Published on NVD

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

A flaw in Microsoft Project allows attackers to execute arbitrary code on a victim's computer if they open a specially crafted file. This is dangerous because it gives attackers complete control over the affected system.

Technical detail

An input validation vulnerability (CWE-20) in Microsoft Project enables remote code execution when a user opens a malicious project file. The attack requires user interaction (file opening) and results in code execution with user privileges, allowing attackers to compromise the system.

Summary generated and translated by AI from the official description.

Microsoft Project Remote Code Execution Vulnerability

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

Affected products

Microsoft · Microsoft 365 Apps for Enterprise Microsoft · Microsoft Office 2019 Microsoft · Microsoft Office LTSC 2021 Microsoft · Microsoft Project 2016

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38189 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38189