Hackers are actively exploiting a critical escalation of privilege (EoP) vulnerability in Outlook, according to Microsoft. If you use Outlook on Windows, you need to update the email client today. Large organizations must consult Microsoft's instructions to quickly mitigate this threat.

This zero-day vulnerability (CVE-2023-23397) is rated at 9.8 out of 10 on the CVSS scale, meaning that it's both dangerous and easy to exploit. Details are a bit slim, but Microsoft explains that a specially-crafted email automatically triggers the exploit when it's received by Outlook, without any interaction from the victim.

The exploit allows a hacker to access the victim's Net-NTLMv2 hash. From there, the hacker can gain access to the victim's network for further attacks or observation. A "Russia-based threat actor" has already utilized this exploit to target "organizations in government, transportation, energy, and military sectors in Europe." (Notably, the vulnerability was first recognized and reported by Ukraine's CERT security response team.)

A patch for this vulnerability is available in the latest Outlook update. I suggest that you manually update Outlook immediately on all Windows PCs in your home. To update Outlook, simply press the "File" tab, select "Microsoft Account" from the pop-out menu, click "Update Options," and choose "Update Now."

Large organizations may have a difficult time updating all instances of Outlook. For this reason, Microsoft lists several mitigation methods on its CVE listing. Microsoft also offers a PowerShell script that allows organizations to see if they've been targeted by this vulnerability.

Source: Microsoft via Forbes, Bleeping Computer