Published: 13/10/2017 Updated: 11/07/2019
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 606
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2016 allow an malicious user to execute arbitrary commands, due to how Microsoft Office handles objects in memory, aka "Microsoft Outlook Security Feature Bypass Vulnerability."

Vulnerability Trend

Affected Products

Vendor Product Versions
MicrosoftOutlook2010, 2013, 2016
MicrosoftOutlook 2013 Rt*

Github Repositories

SniperRoost used to generate a valid attack chain to exploit CVE-2017-11774 tied to iranian apt only reasearch poc dont use for harm please

A couple of Cmdlets leveraging EWS API (In case access over MAPI is limited) for performing specific enumeration/exploitation tasks on Exchange Servers (Office365, Premises-based Servers etc) during RT engagements; Retrieving basic statistics about mailboxes, generating statistics charts for compromized accounts and average mail data size that could be exfiltrated which can

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

US Cyber Command warns that the Outlook is not so good - Iranians hitting email flaw
The Register • Shaun Nichols in San Francisco • 03 Jul 2019

Government-backed campaign going after bug that was patched in 2017

An ongoing Iranian government-backed hacking campaign is now trying to exploit a Microsoft Outlook flaw from 2017.
The US Cyber Command has issued an alert that hackers have been actively going after CVE-2017-11774. The flaw is a sandbox escape bug in Outlook that allows an attacker who already possesses the victim's Outlook credentials to change the user's home page. That page, in turn, can have embedded code that downloads and executes malware when Outlook is opened.
The timing of ...

Outlook Flaw Exploited by Iranian APT33, US CyberCom Issues Alert
BleepingComputer • Sergiu Gatlan • 03 Jul 2019

US Cyber Command (US CyberCom) issued a malware alert on Twitter regarding the active exploitation of the CVE-2017-11774 Outlook vulnerability to attack US government agencies, allowing the attackers to execute arbitrary commands on compromised systems.
Although US CyberCom did not mention the threat actor behind the ongoing attacks, security researchers from Chronicle, FireEye, and Palo Alto Networks have linked them to the Iranian-backed APT33 cyber-espionage group.
APT33 (also...

OVERRULED: Containing a Potentially Destructive Adversary
Fireeye Threat Research • by Geoff Ackerman, Rick Cole, Andrew Thompson, Alex Orleans, Nick Carr • 21 Dec 2018

FireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry. Public reporting indicates this activity may be related to recent destructive attacks. FireEye's Managed Defense has responded to and contained numerous intrusions that we assess are related. The actor is leveraging publicly available tools in early phases of the intrusion; however, we have observed them transition to custom implants in later stage activity in ...