Security News > 2022 > January > Microsoft Outlook RCE zero-day exploits now selling for $400,000

Exploit broker Zerodium has announced a pay jump to 400,000 for zero-day vulnerabilities that allow remote code execution in Microsoft Outlook email client.
Zerodium's regular bounty for RCE vulnerability in Microsoft Outlook for windows is $250,000, expected to be "Accompanied by a fully functional and reliable exploit."
"We are temporarily increasing our payout for Microsoft Outlook RCEs from $250,000 to $400,000. We are looking for zero-click exploits leading to remote code execution when receiving/downloading emails in Outlook, without requiring any user interaction such as reading the malicious email message or opening an attachment" - Zerodium.
The same conditions apply for the exploit payouts for Mozilla Thunderbird as in the case of Microsoft Outlook.
While the company did not specify an end date for submitting zero-click Microsoft Outlook exploits, the period may be quite long.
On March 31, 2021, Zerodium announced that it was temporarily tripling the bounty for WordPress RCE exploits and the offer still stands today.
News URL
Related news
- Craft CMS RCE exploit chain used in zero-day attacks to steal data (source)
- Hackers exploit VMware ESXi, Microsoft SharePoint zero-days at Pwn2Own (source)
- Microsoft April 2025 Patch Tuesday fixes exploited zero-day, 134 flaws (source)
- Microsoft: Windows CLFS zero-day exploited by ransomware gang (source)
- Microsoft fixes actively exploited Windows CLFS zero-day (CVE-2025-29824) (source)
- PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware (source)
- CentreStack RCE exploited as zero-day to breach file sharing servers (source)
- Patch Tuesday: Microsoft Fixes 134 Vulnerabilities, Including 1 Zero-Day (source)
- Microsoft warns of CPU spikes when typing in classic Outlook (source)
- Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now (source)