The range of threats, they say, include “attackers exploit[ing] this vulnerability to gain unauthorized access, execute arbitrary code, and cause substantial damage without any user interaction. The absence of authentication requirements makes it particularly dangerous, as it opens the door to widespread exploitation.”
The repeated reference to “trusted senders” in this warning is important. This vulnerability only carries a zero click threat when an email is received from a trusted source. If the sender is unknown, then the user would need to click to execute. That said, if the problem for an attacker is now spoofing emails from trusted sources that’s a very low bar in today’s world of industrial scale business email compromise.
Leave a reply