A zero-click remote code execution (RCE) bug in Microsoft Teams desktop apps could have allowed an adversary to execute arbitrary code by merely sending a specially-crafted chat message. The bug is cross-platform and could be made wormable, meaning it could be propagated by automatically reposting the malicious payload to other channels. Microsoft did not assign a CVE to this vulnerability, stating “it’s currently Microsoft’s policy to not issue CVEs on products that automatically updates without user’s interaction”
Source: https://thehackernews.com/2020/12/zero-click-wormable-rce-vulnerability.html