Microsoft Outlook RCE Vulnerability Can Sell For $400,000

Zerodium has just announced that they have increased the price of the zero-day vulnerability that allows remote code execution (RCE) on Microsoft Outlook to $ 400,000 (equivalent to VND 9 billion). Zerodium is an American security company that specializes in acquiring zero-day vulnerabilities for research purposes and then reporting and recommending solutions to firms.

Zerodium did not disclose the end date of this purchase price increase, but shared that it will only be applied in the short term.

Zero-click mining

Normally, Zerodium will spend $250,000 for an RCE vulnerability in the Microsoft Outlook for Windows client. The minimum requirement is that the vulnerability has a well-functioning, fully functional, and reliable exploit method.

However, when the price was raised to $400,000, Zerodium required the vulnerability to be exploited to execute code remotely without any interaction from the victim, aka zero-click. The extraction takes place while Outlook is receiving and downloading the email.

"We are temporarily increasing the payout for RCE vulnerabilities in Microsoft Outlook from $250,000 to $400,000. We're looking for a zero-click exploit that leads to remote code execution when receiving/downloading emails. in Outlook without any user interaction such as reading malicious emails or opening attachments," shared Zerodium.

Of course, vulnerabilities that can be exploited by tricking users into reading malicious emails or opening attachments will still be recognized by Zerodium. However, the amount received will be under $400,000.

If you are a security expert and have a Microsoft Outlook RCE vulnerability, do not hesitate to contact Zerodium immediately.

Lesley Montoya

Update 29 January 2022