Security News > 2020 > December > Zero-Click Wormable RCE Vulnerability Reported in Microsoft Teams
A zero-click remote code execution bug in Microsoft Teams desktop apps could have allowed an adversary to execute arbitrary code by merely sending a specially-crafted chat message and compromise a target's system.
Microsoft did not assign a CVE to this vulnerability, stating "It's currently Microsoft's policy to not issue CVEs on products that automatically updates without user's interaction."
Worse, the RCE is cross-platform - affecting Microsoft Teams for Windows, Linux, macOS, and the web - and could be made wormable, meaning it could be propagated by automatically reposting the malicious payload to other channels.
This is not the first time such RCE flaws were observed in Teams and other enterprise-focused messaging apps.
Chief among them is a separate RCE vulnerability in Microsoft Teams that the company patched as part of its November 2020 Patch Tuesday last month.
News URL
Related news
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- Microsoft is killing Skype today, pushes users to Teams (source)
- New Microsoft 365 outage impacts Teams and other services (source)
- Microsoft Teams will soon block screen capture during meetings (source)
- Week in review: Microsoft patches 5 actively exploited 0-days, recently fixed Chrome vulnerability exploited (source)