CVE-2024-38200

MEDIUM

Microsoft 365 Apps and Office - Exposure of Sensitive Information via Spoofing

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-38200. PoCs published by Metin Yunus Kandemir, passtheticket.

AI-analyzed exploit summary This exploit leverages Microsoft Office URI handlers to force NTLMv2 authentication over HTTP, allowing an attacker to capture and relay the hash to escalate privileges. It requires DNS manipulation and a malicious HTML page to trigger the vulnerability.

Description

Microsoft Office Spoofing Vulnerability

Exploits (2)

exploitdb WORKING POC

by Metin Yunus Kandemir · remotewindows

https://www.exploit-db.com/exploits/52113

View Code ZIP pw:eip

This exploit leverages Microsoft Office URI handlers to force NTLMv2 authentication over HTTP, allowing an attacker to capture and relay the hash to escalate privileges. It requires DNS manipulation and a malicious HTML page to trigger the vulnerability.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Office 2019 MSO Build 1808 (16.0.10411.20011), Microsoft 365 MSO (Version 2403 Build 16.0.17425.20176)

No auth needed

Prerequisites: DNS record manipulation · ntlmrelayx setup · web server to host malicious HTML

MITRE ATT&CK

T1187 - Forced Authentication T1557 - Adversary-in-the-Middle

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 146 stars

by passtheticket · poc

https://github.com/passtheticket/CVE-2024-38200

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2024-38200, demonstrating how to capture NTLMv2 hashes over HTTP via Office URI schemes and relay them for privilege escalation. The `uncredirect.py` script handles HTTP redirection to UNC paths, bypassing security restrictions.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Office (2019, 365)

No auth needed

Prerequisites: Responder or similar tool for NTLM capture · ntlmrelayx for relaying hashes · DNS record manipulation for intranet zone exploitation

MITRE ATT&CK

T1187 - Forced Authentication T1557 - Adversary-in-the-Middle

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Patch, Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38200

Scores

CVSS v3 6.5

EPSS 0.1969

EPSS Percentile 97.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-200

Status published

Products (4)

microsoft/365_apps (2 CPE variants)

microsoft/office 2016 (2 CPE variants)

microsoft/office 2019 (2 CPE variants)

microsoft/office_long_term_servicing_channel 2021 (2 CPE variants)

Published Aug 12, 2024

Tracked Since Feb 18, 2026