A recently identified zero-click remote code execution (RCE) vulnerability in Microsoft Teams’ desktop applications poses significant risks to users. This flaw enables potential adversaries to execute arbitrary code on a targeted system merely by sending a specially crafted chat message. The vulnerability was reported on August 31, 2020, by Oskars Vegeris, a security engineer at Evolution Gaming, and was remedied by Microsoft by the end of October the same year.
Interestingly, Microsoft opted not to assign a CVE identifier to this vulnerability. According to the company’s policy, they refrain from issuing CVEs for products that update automatically without user intervention. Vegeris clarified in his technical analysis, stating that the exploit triggers instantly upon a user viewing the chat message, requiring no additional actions.
The implications of this vulnerability are severe, resulting in a complete compromise of confidentiality and integrity for end users, with unauthorized access to private chats, files, internal networks, private keys, and personal information stored outside of Microsoft Teams. Even more concerning, the RCE is cross-platform, affecting Teams for Windows, Linux, macOS, and the web interface, meaning that it could easily spread through malicious payloads reposted in different channels, targeting an entire user group.
To execute the exploit, the attack strings together an existing cross-site scripting (XSS) flaw within the ‘@mentions’ feature of Teams and a JavaScript-based RCE payload. This allows attackers to send seemingly innocuous chat messages with user mentions either as direct messages or within a channel. This tactic aligns with MITRE ATT&CK tactics such as initial access and exploitation of vulnerabilities. Simply opening the chat can lead to payload execution, granting attackers the ability to exfiltrate sensitive SSO tokens and execute arbitrary commands.
This incident is not unprecedented; RCE vulnerabilities have been previously observed in Microsoft Teams and similar enterprise messaging apps. Specifically, a separate RCE vulnerability (CVE-2020-17091) was addressed by Microsoft as part of their November 2020 Patch Tuesday. In recent months, Vegeris also identified a critical “wormable” flaw in Slack’s desktop version that could permit an intruder to seize control of a user’s system through the sharing of malicious files.
In another notable incident, Cisco patched a comparable vulnerability in its Jabber video conferencing and messaging application that could enable an authenticated remote attacker to execute arbitrary code, underscoring the recurring security challenges faced by popular communication platforms.
This ongoing cycle of vulnerabilities highlights the critical need for vigilance among business owners regarding cybersecurity risks associated with enterprise-level applications. Adopting the MITRE ATT&CK framework can assist organizations in identifying vulnerabilities and understanding the tactics and techniques employed by adversaries in such exploits.
As the cybersecurity landscape continues to evolve, staying informed about these vulnerabilities is essential for safeguarding organizational assets and ensuring user safety.