Security News > 2020 > December > Zero-Click Wormable RCE Vulnerability Reported in Microsoft Teams
A zero-click remote code execution bug in Microsoft Teams desktop apps could have allowed an adversary to execute arbitrary code by merely sending a specially-crafted chat message and compromise a target's system.
Microsoft did not assign a CVE to this vulnerability, stating "It's currently Microsoft's policy to not issue CVEs on products that automatically updates without user's interaction."
Worse, the RCE is cross-platform - affecting Microsoft Teams for Windows, Linux, macOS, and the web - and could be made wormable, meaning it could be propagated by automatically reposting the malicious payload to other channels.
This is not the first time such RCE flaws were observed in Teams and other enterprise-focused messaging apps.
Chief among them is a separate RCE vulnerability in Microsoft Teams that the company patched as part of its November 2020 Patch Tuesday last month.
News URL
Related news
- New Microsoft 365 outage impacts Teams, causes call failures (source)
- Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)
- Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457) (source)
- Microsoft Patches 125 Flaws Including Actively Exploited Windows CLFS Vulnerability (source)
- CISA Warns of CentreStack's Hard-Coded MachineKey Vulnerability Enabling RCE Attacks (source)
- Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’ (source)