Security News > 2020 > December > Zero-Click Wormable RCE Vulnerability Reported in Microsoft Teams
A zero-click remote code execution bug in Microsoft Teams desktop apps could have allowed an adversary to execute arbitrary code by merely sending a specially-crafted chat message and compromise a target's system.
Microsoft did not assign a CVE to this vulnerability, stating "It's currently Microsoft's policy to not issue CVEs on products that automatically updates without user's interaction."
Worse, the RCE is cross-platform - affecting Microsoft Teams for Windows, Linux, macOS, and the web - and could be made wormable, meaning it could be propagated by automatically reposting the malicious payload to other channels.
This is not the first time such RCE flaws were observed in Teams and other enterprise-focused messaging apps.
Chief among them is a separate RCE vulnerability in Microsoft Teams that the company patched as part of its November 2020 Patch Tuesday last month.
News URL
Related news
- ZDI shames Microsoft for – yet another – coordinated vulnerability disclosure snafu (source)
- Microsoft Reveals Four OpenVPN Flaws Leading to Potential RCE and LPE (source)
- Microsoft Warns of Unpatched Office Vulnerability Leading to Data Exposure (source)
- Microsoft launches unified Teams app for personal, work accounts (source)
- Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data (source)
- APT group exploits WPS Office for Windows RCE vulnerability (CVE-2024-7262) (source)