Security News > 2022 > January > Microsoft Outlook RCE zero-day exploits now selling for $400,000

Exploit broker Zerodium has announced a pay jump to 400,000 for zero-day vulnerabilities that allow remote code execution in Microsoft Outlook email client.
Zerodium's regular bounty for RCE vulnerability in Microsoft Outlook for windows is $250,000, expected to be "Accompanied by a fully functional and reliable exploit."
"We are temporarily increasing our payout for Microsoft Outlook RCEs from $250,000 to $400,000. We are looking for zero-click exploits leading to remote code execution when receiving/downloading emails in Outlook, without requiring any user interaction such as reading the malicious email message or opening an attachment" - Zerodium.
The same conditions apply for the exploit payouts for Mozilla Thunderbird as in the case of Microsoft Outlook.
While the company did not specify an end date for submitting zero-click Microsoft Outlook exploits, the period may be quite long.
On March 31, 2021, Zerodium announced that it was temporarily tripling the bounty for WordPress RCE exploits and the offer still stands today.
News URL
Related news
- Craft CMS RCE exploit chain used in zero-day attacks to steal data (source)
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- URGENT: Microsoft Patches 57 Security Flaws, Including 6 Actively Exploited Zero-Days (source)
- Microsoft patches Windows Kernel zero-day exploited since 2023 (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- Microsoft says button to restore classic Outlook is broken (source)
- Microsoft isn't fixing 8-year-old shortcut exploit abused for spying (source)
- APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373) (source)
- Microsoft Exchange Online outage affects Outlook web users (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)