IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Zero-click 'wormable' RCE flaw uncovered in Microsoft Teams

Researcher complains that Microsoft underscored the significance of the flaw, which could be triggered without user interaction

Hackers were able to exploit a serious vulnerability in Microsoft Teams desktop apps to execute arbitrary code remotely and spread infection across a company network by simply sending a specially-crafted message.

The zero-click flaw, which is wormable, can be triggered by cross-site scripting (XSS) injection in Teams, with hackers able to transmit a malicious message which will execute code without user interaction.

This remote code execution (RCE) flaw was first reported to Microsoft in August, with the company fixing the bugs in October 2020. However, security researcher Oskars Vegaris, who discovered the flaw,  has complained that the firm didn’t take his report as seriously as it should have, with Microsoft not even assigning the bug a CVE tag.

Microsoft considered the Teams vulnerability as ‘important’ although described its impact as ‘spoofing’ in its bug bounty programme. As for the CVE element, Microsoft doesn’t issue CVE tags on products that automatically update without user interaction.

“This report contains a new XSS vector and a novel RCE payload which are used together,” Vegaris wrote on GitHub. “It affects the chatting system within Microsoft Teams and can be used in e.g. direct messages, channels.”

In a technical breakdown of the vulnerability, the researcher highlighted how RCE can be achieved by chaining two flaws, including stored XSS in Teams chat functionality and a cross-platform JavaScript exploit for the Teams desktop client. 

The impact is seemingly alarming, with its wormable nature meaning the exploit payload can be spread across other users, channels and companies without any interaction. The execution of malicious code could also happen without any user interaction, given users need to only view the specially-crafted message. 

The consequences of infection range from complete loss of confidentiality and integrity for victims, to access to private communications, internal networks, private keys as well as personal data outside of Microsoft Teams.

Hackers can also gain access to single sign-on (SSO) tokens for other services, including Microsoft services such as Outlook or Microsoft 365. This will expose them to possible phishing attacks too, as well as keylogging with specially-crafted payloads, according to Vegaris.

“We mitigated the issue with an update in October, which has automatically deployed and protected customers.” A Microsoft spokesperson told IT Pro, adding that no further customer action is necessary. 

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Best free malware removal tools 2022
Security

Best free malware removal tools 2022

22 Jun 2022
Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads
Microsoft Windows

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads

20 Jun 2022
IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated
Business strategy

IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated

17 Jun 2022
Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive
ransomware

Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive

17 Jun 2022

Most Popular

FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022