Published: 16/10/2020 Updated: 22/10/2020
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Microsoft Outlook could allow a remote malicious user to execute arbitrary code on the system, caused by improper handling of objects in memory. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to execute arbitrary code on the system with privileges of the victim.

Vulnerability Trend

Github Repositories

PoC of CVE-2020-16947 (Microsoft Outlook RCE vulnerablility)

CVE-2020-16947 PoC of CVE-2020-16947 (Microsoft Outlook RCE vulnerablility)

CVE-2020-16947 This vulnerability occurs in Outlook 2019 (1601323120262) installed on Windows 10 1909 x64 TLDR; I found this bug usng winafl fuzzer This bug occured when parsing html contents if attacker successfully executes this exploit, it can lead to remote command execution Details 0:000> r rax=0000000000000000 rbx=0000021c99ce9eb0 rcx=0000021c99ce9eb0 rdx=000

Recent Articles

Microsoft fixes critical Outlook bug exploitable via preview pane
BleepingComputer • Sergiu Gatlan • 14 Oct 2020

Microsoft has released the October 2020 Office security updates with a total of 24 security updates and 5 cumulative updates for 7 different products, fixing 13 vulnerabilities that could enable remote attackers to execute arbitrary code on vulnerable systems.
The highlight of this month's Microsoft Office security updates is without a doubt CVE-2020-16947, a remote code execution vulnerability that leads to remote code execution when previewing or opening maliciously crafted emails with ...

October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug
Threatpost • Tara Seals • 13 Oct 2020

Microsoft has pushed out fixes for 87 security vulnerabilities in October – 11 of them critical – and one of those is potentially wormable.
There are also six bugs that were previously unpatched but publicly disclosed, which could give cybercriminals a leg up — and in fact at least one public exploit is already circulating for this group.
This month’s Patch Tuesday overall includes fixes for bugs in Microsoft Windows, Office and Office Services and Web Apps, Azure Functions, ...

The Register

Patch Tuesday Microsoft's Update Tuesday patch dump for October 2020 has delivered security patches that attempt to address 87 CVEs for a dozen Redmond products.
Nadella's security crew has identified 22 remote code execution (RCE) CVEs though the most worrisome looks like CVE-2020-16898, Windows TCP/IP RCE, which is rated 9.8 out 10 in severity. It affects Windows desktop and server systems.
According to Microsoft, the Windows TCP/IP stack doesn't properly handle ICMPv6 Router Adver...