Cyber Resilience

CVE-2017-11774

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 13 October 2017

Published
13 October 2017
Modified
22 April 2026
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8557 99.4th percentile
Risk Priority 87 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-11774 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Microsoft Outlook. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2016 are affected by CVE-2017-11774, a security feature bypass vulnerability that stems from how Microsoft Office handles objects in memory. The flaw is tracked under CWE-119 and carries a CVSS 3.1 score of 7.8, enabling an attacker to execute arbitrary commands.

An unauthenticated local attacker can exploit the issue by supplying a specially crafted object that triggers the memory-handling flaw when opened or processed by Outlook. Successful exploitation grants full control over confidentiality, integrity, and availability on the affected system, requiring only user interaction such as opening a malicious message or file.

The Microsoft Security Response Center advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774 and related bulletins at SecurityFocus and SecurityTracker provide official guidance on available patches and mitigations for the listed Outlook versions. Additional technical analysis appears in references such as the SensePost blog post on Outlook home-page vectors.

EU & UK References

Vulnerability details

Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2016 allow an attacker to execute arbitrary commands, due to how Microsoft Office handles objects in memory, aka "Microsoft Outlook Security Feature Bypass Vulnerability."

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
outlook
2010, 2013, 2016

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches that close the memory-handling flaw in Outlook before a crafted object can be processed.

preventdetect

Requires malicious-code detection mechanisms on email clients and attachments that can block the specially crafted objects used to exploit CVE-2017-11774.

prevent

Enforces least-functionality restrictions on Outlook (e.g., disabling automatic rendering or external object loading) that reduce the attack surface for memory-based command execution.

References