⚠ Actively exploited

Added to CISA KEV on 2024-08-13. Federal agencies required to patch by 2024-09-03. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2024-38189 — Improper Input Validation in Microsoft 365 Apps FOR Enterprise

CWE-20 — Improper Input Validation18 documents12 sources

Severity

8.8HIGHNVD

EPSS

43.7%

top 2.47%

CISA KEV

KEV

Added 2024-08-13

Due 2024-09-03

Exploit

Exploited in wild

Active exploitation observed

Affected products

Microsoft 365 Apps FOR Enterprise Microsoft Office 2019 Microsoft Office Ltsc 2021 +3 more

Timeline

PublishedAug 13

KEV addedAug 13

KEV dueSep 3

CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Microsoft Project Remote Code Execution Vulnerability

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

▶NVDmicrosoft/project_2016< 16.0.5461.1001

▶CVEListV5microsoft/microsoft_project_201616.0.0.0 — 16.0.5461.1001

▶CVEListV5microsoft/microsoft_office_201919.0.0 — https://aka.ms/OfficeSecurityReleases

▶CVEListV5microsoft/microsoft_office_ltsc_202116.0.1 — https://aka.ms/OfficeSecurityReleases

▶CVEListV5microsoft/microsoft_365_apps_for_enterprise16.0.1 — https://aka.ms/OfficeSecurityReleases

Patches

Patch: msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-w8m3-f759-q5hc: Microsoft Project Remote Code Execution Vulnerability↗2024-08-13

▶

CVEList

Microsoft Project Remote Code Execution Vulnerability↗2024-08-13

▶

VulnCheck

Microsoft Project Remote Code Execution Vulnerability↗2024

▶

📋Vendor Advisories

CISA

Microsoft Project Remote Code Execution Vulnerability↗2024-08-13

▶

Microsoft

Microsoft Project Remote Code Execution Vulnerability↗2024-08-13

▶

🕵️Threat Intelligence

Trendmicro

The August 2024 Security Update Review↗2024-08-13

▶

Krebs

Six 0-Days Lead Microsoft’s August 2024 Patch Push↗2024-08-13

▶

Qualys

Microsoft and Adobe Patch Tuesday, August 2024 Security Update Review↗2024-08-13

▶

Tenable

Microsoft’s August 2024 Patch Tuesday Addresses 88 CVEs↗2024-08-13

▶

Qualys

Microsoft & Adobe August 2024 Patch Tuesday Updates | Qualys↗2024-08-13

▶