CVE-2024-38189
Published: 13 August 2024
Summary
CVE-2024-38189 is a high-severity Improper Input Validation (CWE-20) vulnerability in Microsoft Office 2019. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-38189 is a remote code execution vulnerability affecting Microsoft Project. It carries a CVSS 3.1 base score of 8.8 with the vector string AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and is associated with CWE-20.
An unauthenticated attacker can exploit the flaw over the network by convincing a user to open a specially crafted file or link, resulting in arbitrary code execution with the privileges of the current user and full impact on confidentiality, integrity, and availability.
Microsoft’s advisory at msrc.microsoft.com details the affected builds and available updates, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog, confirming in-the-wild exploitation. The associated EPSS score rose from a low baseline to a peak of 0.5467 on 2025-12-11 before receding to the current value of 0.4366, indicating post-disclosure attacker interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37158
Vulnerability details
Microsoft Project Remote Code Execution Vulnerability
- CWE(s)
- KEV Date Added
- 13 August 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of all input to Microsoft Project, blocking the specially crafted files/links that trigger the CWE-20 flaw and subsequent RCE.
Requires timely application of Microsoft-supplied patches for CVE-2024-38189, eliminating the vulnerable code path before an attacker can supply malicious input.
Deploys mechanisms to detect and block malicious code payloads delivered via crafted Project files, limiting successful exploitation of the RCE.