cbcvebase.
CVE-2001-0538
published 2001-08-14

CVE-2001-0538: Microsoft Outlook View ActiveX Control in Microsoft Outlook 2002 and earlier allows remote attackers to execute arbitrary commands via a malicious HTML e-mail…

PriorityP348critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
52.85%
98.8th percentile
Microsoft Outlook View ActiveX Control in Microsoft Outlook 2002 and earlier allows remote attackers to execute arbitrary commands via a malicious HTML e-mail message or web page.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftoutlook<= 2002

Detection & IOCsextracted from sources · hover to see the quote

commandC:\WINNT\SYSTEM32\CMD.EXE /c DIR /A /P /S C:\
processWScript.Shell
  • The Microsoft Outlook View Control ActiveX is marked 'safe for scripting', allowing untrusted scripts (e.g., in HTML email or web pages) to instantiate it and access/manipulate Outlook email objects without user interaction. Detect instantiation of this control from web/email contexts.
  • Exploit code uses a delayed script execution pattern (setTimeout with ~2000ms) to trigger malicious ActiveX operations after page/email load. Monitor for setTimeout-based ActiveX invocations in HTML email or web content.
  • Exploitation chain pivots from the Outlook View Control to spawning WScript.Shell via CreateObject, then executing arbitrary commands via CMD.EXE. Monitor Outlook processes for child process creation of cmd.exe or wscript.exe.
  • Scripts access email body and subject through the Outlook View Control selection object (sel.Item(1).Body / .HTMLBody / .Subject). Anomalous script-level access to Outlook mail item properties from browser or HTML email context is indicative of exploitation.
  • ·Exploitation requires the victim to have at least one message present in Outlook XP's Inbox at the time the malicious HTML email or web page is rendered.
  • ·The vulnerability affects Microsoft Outlook 98, 2000, and 2002 (Outlook XP) and earlier versions where the Outlook View Control ActiveX is present and marked safe for scripting.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.