Microsoft has revealed a high-severity zero-day vulnerability, identified as CVE-2024-38200, affecting several versions of its Office suite, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise.
This vulnerability, stemming from an information disclosure weakness, allows unauthorized actors to access sensitive information such as system configurations, personal data, and connection metadata.
Despite Microsoft’s assessment that the exploitation of CVE-2024-38200 is less likely, MITRE has flagged the likelihood of exploitation for this type of vulnerability as highly probable. The flaw is particularly concerning because it could be exploited in a web-based attack.
In such a scenario, attackers might host a malicious website or compromise an existing one, embedding a specially crafted file designed to exploit this vulnerability. Users would need to be tricked into clicking a link and opening the file for the attack to succeed.
Microsoft is currently working on security updates to address this vulnerability, but no release date for the patch has been announced yet. Users are advised to remain vigilant and avoid opening suspicious links or files until a fix is available.
