Zero-click wormable RCE flaw found in Microsoft Teams


A zero-click remote code execution (RCE) vulnerability was uncovered in Microsoft Teams desktop apps that could have let a threat actor execute arbitrary code by simply sending a specially-crafted chat message and compromising a target’s system.

The issue was reported to Microsoft by Oskars Vegeris, a security engineer from Evolution Gaming, on August 31, 2020 and they were addressed at the end of October.

A CVE was not assigned to this vulnerability by the tech giant stating that it is currently their company policy to not issue CVEs on products that automatically updates without user’s interaction.

Vegeris said that no user interaction is required and the exploit executes upon seeing the chat message. As a result, there is total loss of confidentiality and integrity for end users — access to private chats, files, internal network, private keys and personal data outside MS Teams.

The RCE is cross-platform — affecting Microsoft Teams for Windows (v1.3.00.21759), Linux (v1.3.00.16851), macOS (v1.3.00.23764), and the web ( — and could be made wormable which means that it could be propagated by automatically reposting the malicious payload to other channels.

So, the exploit can be passed on from one account to a whole group of users, thereby compromising an entire channel.

To do this, the exploit chain strings together a cross-site scripting (XSS) flaw present in the Teams ‘@mentions’ functionality and a JavaScript-based RCE payload to post a harmless-looking chat message containing a user mention either in the form of a direct message or to a channel.

By visiting the chat at the recipient’s end leads to the execution of the payload, allowing it to be exploited to log users’ SSO tokens to local storage for exfiltration and execute any command of the attacker’s choice.

Such RCE flaws were observed earlier also in Teams and other enterprise-focused messaging apps. One of them include a separate RCE vulnerability in Microsoft Teams (CVE-2020-17091) which was patched as part of its November 2020 Patch Tuesday.

This August, the researcher also revealed a critical “wormable” flaw in Slack’s desktop version that could have allowed an attacker to take over the system by simply sending a malicious file to another Slack user.

Image Credits : Insider Pro

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Police arrest two in defense data theft cyberattack

    Previous article

    Critical remote code execution fixed in PlayStation Now

    Next article

    You may also like


    Leave a reply

    Your email address will not be published. Required fields are marked *