CVE DATABASE / CVE-2017-11774
CVE-2017-11774
Microsoft Office Outlook Security Feature Bypass Vulnerability
CVSS 7.8 · HIGH
⚠ CISA KEV — ACTIVELY EXPLOITED
On the CISA KEV catalog
Confirmed exploited in the wild. Added 2021-11-03.
Federal remediation due 2022-05-03.
Required action: Apply updates per vendor instructions.
Summary
Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2016 allow an attacker to execute arbitrary commands, due to how Microsoft Office handles objects in memory, aka "Microsoft Outlook Security Feature Bypass Vulnerability."
CVSS 3.1 breakdown
| Base score | 7.8 (HIGH) |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Attack vector | LOCAL |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Microsoft outlook
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- http://www.securityfocus.com/bid/101098
- http://www.securitytracker.com/id/1039542
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774
- https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-11774
Data: NIST NVD + CISA KEV. NVD last modified 2026-04-22. Always verify against the vendor advisory before acting.