CVE-2024-38189

What is Microsoft Project?

Microsoft Project is a project management application included in some Microsoft 365 and standalone Office licenses, used by project managers to plan, track, and report on project timelines, resources, and budgets. Project files use the .mpp format and, like other Office applications, support VBA macros for automation. Microsoft Project is commonly used in enterprise, government, and defense contractor environments for large infrastructure and IT projects — making its users (often senior managers and technical leads with access to sensitive project information) attractive targets for spear-phishing.

Overview

CVE-2024-38189 is a remote code execution vulnerability in Microsoft Project that allows an attacker to execute code when a victim opens a malicious Project file. Exploitation requires that the victim has VBA macro notifications disabled (the "VBA Macro Notification Settings" policy) and that Protected View for files from the internet is not enabled — conditions that may be set by Group Policy in some enterprise environments. Microsoft and CISA simultaneously disclosed this as a zero-day on August 13, 2024, confirming active exploitation of Project users in targeted spear-phishing campaigns.

Affected Versions

Technical Details

CWE-20 (Improper Input Validation). The vulnerability exploits the interaction between Project's VBA macro execution and the security controls designed to block macro execution in untrusted files. Specifically, when an organization has configured "VBA Macro Notification Settings" to disable notifications (a configuration sometimes set to avoid user friction with macro-heavy files), and Protected View is also disabled for internet-origin files, a malicious .mpp file can execute embedded macros without any security warning when opened.

Once macros execute in the Project process context, an attacker can:

• Download and execute additional payloads
• Establish persistence via scheduled tasks or registry entries
• Harvest credentials stored in the system
• Perform lateral movement using the victim's access

The CVSS Attack Complexity is Low (AC:L) because exploitability depends on the target's configuration rather than on exploiting a random flaw — attackers performing reconnaissance can determine whether targets use configurations that disable macro protections.

Discovery

Confirmed as a zero-day by Microsoft's simultaneous Patch Tuesday and CISA KEV addition. Project-specific macro bypass vulnerabilities indicate targeted exploitation of project management users — likely in contexts where spear-phishing with .mpp files is a plausible social engineering lure (e.g., sending a "project plan" to a project manager).

Exploitation Context

Office macro zero-days delivered via spear-phishing are a consistent attack vector for APTs and financial cybercrime groups. Targeting Microsoft Project users specifically suggests reconnaissance-driven campaigns: attackers who have identified specific project managers or technical leads as targets and crafted lures disguised as legitimate project files. The zero-day exploitation confirms the technique was effective before the security warning was restored by the patch.

Remediation

1. Apply the August 2024 Microsoft Office/Project security updates (Patch Tuesday, August 13, 2024).
2. Ensure "VBA Macro Notification Settings" is configured to block or prompt for macros in files from the internet — do not set policies that silently allow macros without user confirmation.
3. Enable Protected View for files from the internet and email attachments in all Office applications including Project.
4. Use Attack Surface Reduction (ASR) rules to block Office applications from creating child processes.
5. Train Project users to be skeptical of .mpp files from external sources, even if they appear to come from known contacts.