Skip to main content
Mallory
Back to vulnerabilities
HighPublic exploit

Microsoft Outlook Custom Forms Remote Code Execution

IdentifiersCVE-2024-21378CWE-73

CVE-2024-21378 is an authenticated remote code execution vulnerability in Microsoft Outlook involving unsafe handling of synced custom form objects. According to the provided content, Outlook installs forms synchronized through MAPI using IPM.Microsoft.FolderDesign.FormsDescription objects and uses form properties such as PidTagOfflineAddressBookName and PidTagOfflineAddressBookDistinguishedName during installation. NetSPI found that a malicious form could abuse attachment handling, including path traversal via the PidTagAttachFilename property, to write arbitrary files under the local Outlook FORMS directory, and could also create arbitrary registry keys with default values under HKEY_CLASSES_ROOT during form installation. The content further states that Outlook contained a denylist in OLMAPI32.DLL intended to block dangerous COM registration paths, but this could be bypassed by supplying a leading backslash-style full subkey path such as CLSID{GUID}\InprocServer32. By combining arbitrary file write and arbitrary HKCR registry key creation, an attacker could register a COM object backed by an attacker-controlled DLL and cause Outlook to load it when the malicious form was triggered in the Windows thick client.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows authenticated remote code execution in the context of the targeted Outlook client. The attacker can cause Outlook to write an arbitrary DLL to disk, create COM registration data under HKEY_CLASSES_ROOT, and load the attacker-controlled DLL into the Outlook process. This can result in execution of arbitrary native code, compromise of the user context, follow-on malware deployment, persistence via COM registration, data theft, and broader endpoint compromise. The provided content also notes potential for full system compromise depending on post-exploitation conditions and privileges.

Mitigation

If you can’t patch tonight, do this now.

Where immediate patching is not possible, reduce exposure by limiting or monitoring Outlook custom form usage, especially in environments that do not require custom forms. Monitor for creation or modification of HKCR/CLSID/InprocServer32 keys tied to Outlook form installation and for outlook.exe dropping DLLs into %localappdata%\Microsoft\FORMS. Restrict token theft and mailbox abuse paths that could let an attacker authenticate to Exchange Online or Exchange and deliver malicious forms. Harden identity controls against device-code phishing, token theft, and credential compromise, since the attack chain described relies on valid Exchange user access. User awareness can reduce triggering actions, but preview-pane interaction may still be sufficient according to the content, so patching remains the primary mitigation.

Remediation

Patch, then assume compromise.

Apply Microsoft's February 13, 2024 security updates for Outlook that address CVE-2024-21378. Ensure supported Outlook clients are fully patched through normal Microsoft update channels. Because the issue is tied to Outlook custom form synchronization and installation behavior, organizations should verify that all Windows Outlook thick clients receiving Exchange-hosted forms are updated. Review environments for suspicious Outlook form artifacts, unexpected DLLs in %localappdata%\Microsoft\FORMS\IPM* paths, and anomalous HKCR\CLSID*\InprocServer32 registrations associated with Outlook form activity. If compromise is suspected, remove malicious forms, delete dropped payloads, and remediate any malicious COM registrations and follow-on persistence.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
CVE-2024-21378MaturityPoCVerified exploit

This repository provides a proof-of-concept exploit for CVE-2024-21378, a vulnerability in Microsoft Outlook (Exchange Online) that allows arbitrary code execution via malicious COM DLLs. The exploit consists of a single Python script (CVE-2024-21378.py) and a README with detailed instructions. The script sends a crafted HTTP POST request to the /ruler endpoint of a target Outlook/Exchange Online instance, delivering a malicious COM DLL as a form attachment. The attack requires a valid access token (typically obtained via phishing/vishing), the target's email address, and a compiled malicious DLL. User interaction in the Outlook thick client is required to trigger the payload, which results in the DLL being loaded and executed in the Outlook process. The repository is structured simply, with the Python script as the main entry point and the README providing context, usage instructions, and a disclaimer.

d0rbDisclosed Mar 12, 2024pythonnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft Corporation365 Appsapplication
Microsoft CorporationOfficeapplication
Microsoft CorporationOffice Long Term Servicing Channelapplication
Microsoft CorporationOutlookapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
splunk researchNews
Jan 14, 2026
Detection: Windows Phishing Outlook Drop Dll In FORM Dir | Splunk Security Content

A Microsoft Outlook remote code execution vulnerability involving custom MAPI forms loading a malicious DLL from the FORMS directory.

Read more
splunk researchNews
Oct 14, 2025
Detection: Windows New InProcServer32 Added | Splunk Security Content

A Microsoft Outlook remote code execution vulnerability referenced in connection with this detection content.

Read more
splunk researchNews
May 2, 2025
Detection: Windows InProcServer32 New Outlook Form | Splunk Security Content

An authenticated remote code execution vulnerability in Microsoft Outlook involving malicious form objects and registry changes tied to InProcServer32 Outlook form installations.

Read more
vulncheck blogNews
Feb 24, 2025
Exposing CVEs from Black Bastas' Chats

A remote code execution vulnerability in Microsoft Outlook confirmed by Black Basta to be effective in production environments.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-21378
NVD
nvd.nist.gov/vuln/detail/CVE-2024-21378
MITRE CWE · CWE-73
cwe.mitre.org
Patch
msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21378