Microsoft is addressing 56 vulnerabilities this February 2025 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation for two of the vulnerabilities published today, which is reflected in CISA KEV. Microsoft is aware of public disclosure for two other vulnerabilities. This is now the fifth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also sees the publication of just three critical remote code execution (RCE) vulnerabilities. Eleven browser vulnerabilities have already been published separately this month, and are not included in the total.
Ancillary Function Driver: zero-day EoP
All versions of Windows receive patches today for CVE-2025-21418, a heap-based buffer overflow in the Windows Ancillary Function Driver (AFD). Successful exploitation leads to SYSTEM privileges. The AFD has been around for decades; it handles foundational networking functionality, so it is necessarily a kernel driver which interacts with a great deal of user-supplied input. It is perhaps not very shocking that AFD has been the site of a significant number of problems over the years: specifically, elevation of privilege (EoP) vulnerabilities. Microsoft is aware of existing exploitation in the wild, and with low attack complexity, low privilege requirements, and no requirement for user interaction, CVE-2025-21418 is one to prioritize for patching. The relatively low CVSSv3 base score of 7.8 and severity rating of Important may appear relatively mild; however, broad similarities exist between this vuln and CVE-2024-38193, which Rapid7 flagged as ripe for malware abuse on the day it was published, and which has subsequently been linked to exploitation by North Korean state-associated threat actor tracked as Lazarus.
Windows Storage: zero-day EoP
Ever wanted to delete a file on a Windows box, but pesky permissions prevented you from achieving your goal? CVE-2025-21391 might be just what you need: an elevation of privilege (EoP) vulnerability in the Windows Storage service for which Microsoft is aware of exploitation in the wild. No user interaction is required, and attack complexity is low, and the weakness is given as “CWE-59: Improper Link Resolution Before File Access” but what are attackers hoping to achieve here? Although the advisory provides scant detail, and even offers some vague reassurance that “an attacker would only be able to delete targeted files on a system”, it would be a mistake to assume that the impact of deleting arbitrary files would be limited to data loss or denial of service. As long ago as 2022, ZDI researchers set out how a motivated attacker could parlay arbitrary file deletion into full SYSTEM access using techniques which also involve creative misuse of symbolic links.
NTLMv2 disclosure: zero-day spoofing
It’s almost surprising when any particular Patch Tuesday doesn’t involve plugging one or two holes through which NTLM hashes can leak. CVE-2025-21377 describes an NTLMv2 hash disclosure vulnerability where exploitation ultimately results in the attacker gaining the ability to authenticate as the targeted user. Minimal user interaction with a malicious file is required, including selecting, inspecting, or “performing an action other than opening or executing the file.” This trademark linguistic ducking and weaving may be Microsoft’s way of saying “if we told you any more, we’d give the game away.” Accordingly, Microsoft assesses exploitation as more likely. The advisory acknowledges researchers from 0patch by ACROS Security — who also reported last month’s NTLM hash disclosure zero-day vuln CVE-2025-21308 — as well as others from Securify and Cathay Pacific; this might be the first instance of an airline receiving credit for reporting a Microsoft zero-day vulnerability.
Surface: zero-day container escape
A wide array of Microsoft Surface machines are vulnerable to CVE-2025-21194 until patched, although the most recent Surface Pro 10 and 11 series are not listed as vulnerable. The vulnerability is described as a security feature bypass, and exploitation could lead to container escape from a UEFI host machine and compromise of the hypervisor. Surface devices receive updates via Windows Update, although the advisory also gives brief instructions for users who wish to apply the updates manually. Microsoft describes the vulnerability as publicly disclosed.
LDAP server: critical RCE
Any security advisory which lists multiple weakness types typically describes a complex vulnerability, and Windows LDAP critical remote code execution (RCE) CVE-2025-21376 is no exception. Successful exploitation requires an attacker to navigate multiple challenges, including winning a race condition. The prize: code execution on the Windows LDAP server. Although Microsoft seldom specifies the privilege level of code execution on LDAP server vulnerabilities, Rapid7 has noted previously that the LDAP service runs in a SYSTEM context, and that is the only safe assumption. All versions of Windows receive a patch.
DHCP client: critical RCE
Today sees the publication of a slightly mysterious critical RCE in the Windows DHCP Client Service. Exploitation of CVE-2025-21379 requires an attacker to intercept and potentially modify communications between the Windows DHCP client and the requested resource, which implies either that an attacker can break encryption, or that no encryption is present in the DHCP communication; this risk is highlighted in Microsoft’s own spec for DHCP implementation.
Excel: critical RCE
As if spreadsheets weren’t dangerous enough by themselves, today sees publication of CVE-2025-21381, a critical RCE in Excel. As usual for this class of attack, the advisory clarifies that “remote” in this case refers to the location of the attacker, since user interaction is required, and the code execution will be in the context of the user on their local machine. The Outlook Preview Pane is an attack vector, so simply glancing at an email containing a specially crafted malicious spreadsheet is enough for the attack to succeed, although an attacker could also convince a user to download and open a file from a website, or perhaps simply drop a few USB sticks in the parking lot.
Microsoft lifecycle update
In Microsoft product lifecycle news, SQL Server 2019 moves from mainstream support to extended support on 2025-02-28.
Microsoft is addressing 161 vulnerabilities this January 2025 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for eight of the vulnerabilities published today, with three listed on CISA KEV. This is now the fourth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also sees the publication of nine critical remote code execution (RCE) vulnerabilities. Unusually, Microsoft has not yet published any browser vulnerabilities this month.
Access: triple zero-day RCE
Today sees the publication of three very similar zero-day Microsoft Access vulnerabilities: CVE-2025-21366, CVE-2025-21395, and CVE-2025-21186. In each case, Microsoft notes public disclosure, but does not claim evidence of exploitation in the wild. Successful exploitation leads to code execution via heap-based buffer overflow, and requires that an attacker convince the user to download and open a malicious file. Curiously, in each case, one portion of the advisory FAQ describes the update protection as “blocking potentially malicious extensions from being sent in an email”, but the remainder of the advisory doesn’t clarify how this would prevent malicious activity. Typically, patches provide protection by blocking malicious files upon receipt of a malicious email attachment, rather than preventing a malicious attachment from being sent in the first place, since an attacker is free to send whatever they like from any system they control. The FAQ does mention that users who would otherwise have interacted with a malicious attachment will instead receive a notification that there was an attachment but “it cannot be accessed”, which is perhaps the best play on words we’ve seen from MSRC in a while.
Hyper-V NT Kernel Integration VSP: triple zero-day EoP
Microsoft is addressing a trio of related Windows Hyper-V NT Kernel Integration VSP elevation of privilege vulnerabilities today: CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335. Microsoft is aware of exploitation in the wild for all three, as seen on both the Microsoft advisories and CISA KEV. In each case, exploitation leads to SYSTEM privileges. The advisories are short on additional detail, beyond a brief acknowledgement of Anonymous — presumably an undisclosed party, rather than the hacktivist collective — on CVE-2025-21333. While we can sometimes infer context from prior examples, in this case there aren’t any; there is no mention of Hyper-V NT Kernel Integration VSP in any vulnerability published by Microsoft, at least as far back as 2017. If we look back five years, CVE-2020-16885 does describe an elevation of privilege vulnerability in the Windows storage VSP driver, but there isn’t a lot to go on there either.
The Virtualization Service Provider (VSP) resides in the root partition of a Hyper-V instance, and provides synthetic device support to child partitions over the Virtual Machine Bus (VMBus): it’s the foundation of how Hyper-V allows the child partition to trick itself into thinking that it’s a real computer. Given that the entire thing is a security boundary, it’s perhaps surprising that no Hyper-V NT Kernel Integration VSP vulnerabilities have been acknowledged by Microsoft until today, but it won’t be at all shocking if more now emerge. The advisories published today do not clarify whether the elevation of privilege is only to SYSTEM within the child partition, but container escape specialists will surely be hunting for exploits in this area.
Windows Themes: zero-day NTLM disclosure
Many enterprise users or even admins may not think about Windows Themes very often, but consider CVE-2025-21308: a spoofing vulnerability where successful exploitation leads to improper disclosure of an NTLM hash, which allows an attacker to impersonate the user from whom it was acquired. Microsoft does not have evidence of in-the-wild exploitation, but does note public disclosure. The advisory FAQ dances around the exploitation methodology without explaining; what we learn is that once an attacker had somehow delivered a malicious file to the target system, a user would need to manipulate the malicious file, but not necessarily click or open it. Without further detail, we can only speculate, but it’s plausible that simply opening a folder containing the file in Windows Explorer — including the Downloads folder — or inserting a USB drive, would be enough to trigger the vulnerability and see your NTLM hash leak silently for collection by the threat actor.
Some good news: Microsoft has removed NTLMv1 support from Windows 11 24H2 and Server 2025 onwards. Less good: it has been a whole two months since Microsoft last patched a zero-day NTLM disclosure vulnerability; that flaw was within MSHTML/Trident, and Windows 11 24H2 and Server 2025 were still vulnerable, since NTLMv2 is still supported across the board. On the advisory for CVE-2025-21308, Microsoft does link to documents describing a mitigation technique: restricting NTLM traffic. This is certainly worth a look, since a representative of reporting research organization 0patch has confirmed that NTLMv2 is affected by CVE-2025-21308.
Windows Installer: zero-day EoP
Installing or updating software often requires elevated privileges, and researchers and threat actors have known this for a long time. The advisory for CVE-2025-21275 doesn’t weigh us down with lengthy explanations, it simply says that successful exploitation leads to SYSTEM privileges. Microsoft is aware of public disclosure of this vulnerability, but not in-the-wild exploitation. CVE-2025-21275 is the latest in a long line of Windows Installer elevation of privilege vulnerabilities; Microsoft has now published 37 Windows Installer elevation of privilege vulnerabilities in total since the start of 2020, although only five of those have been zero-days, with only CVE-2024-38014 known by Microsoft to have been exploited prior to publication in September 2024.
PGM: critical RCE
Microsoft’s in-house research teams are a reliable source of vulnerability discovery in Microsoft products, and today we get patches for the self-discovered CVE-2025-21307, a critical RCE in the Windows Reliable Multicast Transport Driver (RMCAST) with a CVSSv3 base score of 9.8. The vulnerability is only exploitable on a system where a program is listening on a Pragmatic General Multicast (PGM) port.
In 2025, you might very well expect that any service that a major commercial operating system exposes to the network would provide at least some form of authentication capability, but if so, prepare to be disappointed by the Windows implementation of PGM. The concept was first described in RFC 3208, which was published in 2001 in an Experimental state and stayed that way. As Microsoft themselves put it, “the PGM specification [RFC3208] is ambiguous in a number of areas”. Given the lack of required user interaction and remote attack vector for CVE-2025-21307, it’s well worth asking yourself: does our firewall allow a PGM receiver to receive inbound traffic from the public internet? If so, the second-best time to prevent that is right now.
OLE: critical RCE
Outlook admins who force their users to read emails in plain text only can skip this paragraph, but everyone else should be aware of CVE-2025-21298, a Windows Object Linking and Embedding (OLE) critical RCE with a CVSSv3 base score of 9.8. The eternal threat of the malicious inbound email finds expression again here; just previewing the wrong email in Outlook is all it takes for an attacker to achieve code execution in the context of the user. All versions of Windows receive a patch.
Microsoft is addressing 70 vulnerabilities this December 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and public disclosure for one of the vulnerabilities published today, and this is reflected in a CISA KEV entry. For the third month in a row, Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today sees the publication of 16 critical remote code execution (RCE) vulnerabilities, which is more than usual. Two browser vulnerabilities have already been published separately this month, and are not included in the total.
Common Log File System: zero-day EoP
This month’s zero-day vulnerability is CVE-2024-49138, an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver, a general-purpose Windows logging service that can be used by software clients running in user-mode or kernel-mode. Exploitation leads to SYSTEM privileges, and if this all sounds familiar, it should.
There have been a series of zero-day elevation of privilege vulnerabilities in CLFS over the past few years. Past offenders are CVE-2022-24521, CVE-2023-23376, CVE-2022-37969, and CVE-2023-28252; today’s addition of CVE-2024-49138 is the first CLFS zero-day vulnerability which Microsoft has published in 2024. Although the advisory doesn’t provide much detail on the means of exploitation, the weakness is CWE-122: Heap-based Buffer Overflow, which most commonly leads to crashes/denial of service, but can also lead to code execution.
Ransomware authors who have abused previous CLFS vulnerabilities will be only too pleased to get their hands on a fresh one. Expect more CLFS zero-day vulnerabilities to emerge in the future, unless Microsoft decides to perform a full replacement of the aging CLFS codebase instead of offering spot fixes for specific flaws. Patches are available for all versions of Windows.
Groups of critical RCE
Patterns emerge when we consider the 16 critical RCE vulnerabilities published today as a whole, which might somewhat reduce the level of alarm that unusually large number might otherwise cause weary defenders.
LDAP: critical RCE
A trio of Windows LDAP critical RCE vulnerabilities receive patches this month, including CVE-2024-49112, which has a CVSSv3 base score of 9.8, which is the highest of any of the vulnerabilities which Microsoft has published today. Exploitation is via a specially crafted set of LDAP calls, and leads to code execution within the context of the LDAP service; although the advisory doesn’t specify, the LDAP service runs in a SYSTEM context. Microsoft advises defenders who still permit domain controllers to receive inbound RPC calls from untrusted networks or to access the internet to stop doing that.
LSASS: critical RCE
Another potential cause for concern this month: CVE-2024-49126 is a critical RCE in the Local Security Authority Subsystem Service (LSASS). Exploitation could potentially be carried out remotely, and the attacker needs no privileges, nor does the user need to perform any action; the only silver lining is that an attacker must win a race condition. Although the advisory says that code execution would be in the context of the server’s account, it might be safest to assume that code execution would be in a SYSTEM context.
Hyper-V: container escape
CVE-2024-49117 describes a container escape for Hyper-V; exploitation requires that the attacker make specially crafted file operation requests on the virtual machine (VM) to hardware resources on the VM, which could result in remote code execution on the hypervisor. The FAQ on the advisory sets out that no special privileges are required in the context of the VM, so any level of access is enough to break free from the VM. We also learn that the container escape could be lateral, where an attacker moves from one VM to another, rather than to the hypervisor.
Remote Desktop Services: 8 critical RCEs
All eight critical RCE vulnerabilities in Remote Desktop Services published today (e.g. CVE-2024-49106) share a number of similarities: they have identical CVSS vectors, exploitation requires that an attacker win a race condition, and the same research group is credited in each case.
Microsoft lifecycle update
There are no significant Microsoft product lifecycle transitions this month.
Microsoft is addressing 90 vulnerabilities this November 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for four of the vulnerabilities published today, although as with last month’s batch, it does not evaluate any of these zero-day vulnerabilities as critical severity (yet). Of those four, Microsoft lists two as exploited in the wild, and both of these are now listed on CISA KEV. Microsoft is aware of some level of public disclosure for three. Microsoft is also patching two further critical remote code execution (RCE) vulnerabilities today. Two browser vulnerabilities have already been published separately this month, and are not included in the total.
Active Directory Certificate Service: zero-day EoP aka EKUwu
CVE-2024-49019 describes an elevation of privilege vulnerability in Active Directory Certificate Services. While the vulnerability only affects assets with the Windows Active Directory Certificate Services role, an attacker who successfully exploits this vulnerability could gain domain admin privileges, so that doesn’t offer much comfort. Unsurprisingly, given the potential prize for attackers, Microsoft assesses future exploitation as more likely. Vulnerable PKI environments are those which include published certificates created using a version 1 certificate template with the source of subject name set to "Supplied in the request" and Enroll permissions granted to a broader set of accounts. Microsoft does not obviously provide any means of determining the certificate template version used to create a certificate, although the advisory does offer recommendations for anyone hoping to secure certificate templates.
There is a significant history of research and exploitation of Active Directory Certificate Services, including the widely-discussed Certified Pre-Owned series, and the discovering researchers have now added further to that corpus, tagging CVE-2024-49019 as ESC15. In keeping with another long-standing infosec tradition, the researcher has provided a fun celebrity vulnerability name — in this case, EKUwu, a portmanteau of EKU (Extended Key Usage) and UwU, an emoticon representing a cute face — as part of their detailed and insightful write-up.
MSHTML: zero-day NTLMv2 hash disclosure
Given the CVSSv3 base score of 6.0, one might almost be forgiven for overlooking CVE-2024-43451, which describes an NTLM hash disclosure spoofing vulnerability in the MSHTML platform which powered Internet Explorer. However, public disclosure and in-the-wild exploitation are always worth a look. Although exploitation requires that the user interact with a malicious file, a successful attacker receives the user’s NTLMv2 hash, and can then use that to authenticate as the user.
Microsoft has arguably scored CVE-2024-43451 correctly according to the CVSSv3.1 specification. However, although the Microsoft CVSSv3 vector describes an impact only to confidentiality, if an attacker can authenticate as the user post-exploitation, a further potential for subsequent impact to integrity and availability now exists; if we take that potential indirect effect into account, the CVSSv3 base score would look more like 8.8, which is the sort of number where alarm bells typically start ringing for many defenders. As a further sting in the tail, the advisory FAQ describes the required user interaction as minimal: left click, right click, or even the highly non-specific “performing an action other than opening or executing [the file]”. There’s certainly the potential for a long tail of exploitation here, especially in environments with more relaxed patching cadence.
The complete Windows catalog from Server 2025 and Windows 11 24H2 all the way back to Server 2008 receives patches for CVE-2024-43451. As Rapid7 has previously noted, MSHTML (also known as Trident) is still fully present in Windows — and unpatched assets are thus vulnerable — regardless of whether or not a Windows asset has Internet Explorer 11 disabled.
Exchange: zero-day sender spoofing
It’s been a few months since we’ve seen any security patches for Exchange, but the streak is now broken with a zero-day vulnerability. Mailserver admins should be paying attention to CVE-2024-49040, which is a publicly disclosed spoofing vulnerability. The specific weakness is CWE-451: User Interface (UI) Misrepresentation of Critical Information, which is often associated with phishing attacks, as well as browser vulnerabilities, and can describe a wide range of misdeeds, from visual truncation and UI overlay to homograph abuse. Microsoft does not yet claim knowledge of in-the-wild exploitation.
The advisory for CVE-2024-49040 hints that post-patching actions may be required for remediation of CVE-2024-49040, and links to further information in a separate article titled “Exchange Server non-RFC compliant P2 FROM header detection”. A careful read of the article doesn’t appear to list any mandatory post-patching actions; instead, there is an optional extra mitigation strategy action around Exchange Transport Rules, as well as an encouragingly detailed explanation of the protection offered by today’s patches. The article showcases that an Exchange-connected email client such as Outlook might display a forged sender as if it were legitimate, which we can all agree is not a good outcome. Attackers don’t have to look far to find other vulnerabilities to chain with this one, since today’s sibling zero-day vulnerability CVE-2024-43451 is certainly an option. On the other hand, let’s take a moment to appreciate the Exchange team’s blog title: “You Had Me at EHLO”.
Patches for CVE-2024-49040 are available for Exchange 2019 CU13 and CU14, as well as Exchange 2016 CU23. It’s worth remembering that both Exchange 2016 and 2019 have an extended end date of 2025-10-14, which is now less than a year away; this despite the fact that the successor for 2016 and 2019, which Microsoft is unsubtly branding as Exchange Server Subscription Edition, isn’t due for release until early in 2025 Q3. Many admins would no doubt prefer a longer upgrade window.
The researcher who reported CVE-2024-49040 also discovered a means to impersonate Microsoft corporate email accounts earlier this year, but went public with his findings after Microsoft dismissed his report; it appears that the relationship has been at least somewhat repaired.
Task Scheduler: zero-day EoP (but not SYSTEM)
Windows Task Scheduler facilitates all sorts of useful outcomes, and if you’re a threat actor, it now offers one more: elevation of privilege via CVE-2024-49039. Microsoft is aware of exploitation in the wild. Given the low attack complexity and low privileges requirement, no requirement for user interaction, high impact across the CIA triad, and changed scope, it’s no surprise that the CVSSv3 base score comes out as a relatively zesty 8.8. However, Windows elevation of privilege vulnerabilities are always most exciting for attackers when they lead directly to SYSTEM privileges, but that’s not the case here. The attacker in this scenario starts out in a low-privileged AppContainer sandbox, and exploitation via a malicious app provides medium integrity level privileges, which is the same as a regular non-administrative user on the system. Still, every step forward for a threat actor is a step back for defenders.
.NET: critical RCE
This month brings patches for CVE-2024-43498, a critical RCE in .NET 9.0 with a CVSSv3 base score of 9.8, which is so seldom a harbinger of good news. Exploitation might mean compromise of a desktop application by loading a malicious file, but most concerningly could also describe RCE in the context of a vulnerable .NET webapp via a specially crafted request. Microsoft assesses exploitation as less likely, but there’s nothing on the advisory which obviously supports that assessment, since this is a low-complexity network attack which requires neither privileges nor user interaction. CVE-2024-43498 is surely worthy of immediate patching. It’s also never a bad idea to review other options for protection, especially for internet-exposed services.
Kerberos: critical RCE
The advisory for CVE-2024-43639 describes a critical RCE in Kerberos with a CVSSv3 base score of 89.8, although not in great detail. The FAQ explains that an unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target, but without providing much information about the target or the precise context of code execution. The only safe assumption here is that code execution is in a highly-privileged context on a server which handles key authentication tasks. Patch accordingly.
At the other end of the lifecycle continuum, .NET 6.0 receives its final scheduled updates today; as .NET 6.0 is/was a Long Term Support (LTS) version, and .NET 7.0 is already beyond end of life, the only current upgrade path is to .NET 8.0.
Summary charts
SQL server dominating the heatmap, but it's mostly a group of closely-related client vulns.
Microsoft is addressing 118 vulnerabilities this October 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for five of the vulnerabilities published today, although it does not rate any of these as critical (yet). Of those five, Microsoft lists two as exploited in the wild, and both of these are now listed on CISA KEV. Microsoft is also patching three further critical remote code execution (RCE) vulnerabilities today. Three browser vulnerabilities have already been published separately this month, and are not included in the total.
Somewhat unusually, we’ll take a look at two of the three critical RCEs published today — CVE-2024-43468 and CVE-2024-43582 — before moving on to the arguably somewhat-less- threatening zero-day vulnerabilities patched today.
Microsoft Configuration Manager: pre-auth RCE
Microsoft Configuration Manager receives a patch for the only vulnerability published by Microsoft today with a CVSS base score of 9.8. Although Microsoft doesn’t tag it as either publicly disclosed or exploited-in-the-wild, the advisory for CVE-2024-43468 appears to describe a no-interaction, low complexity, unauthenticated network RCE against Microsoft Configuration Manager. Exploitation is achieved by sending specially-crafted malicious requests, and leads to code execution in the context of the Configuration Manager server or its underlying database. The relevant update is installed within the Configuration Manager console, and requires specific administrator actions that Microsoft describes in detail in a generic series of articles. Further information and several specific required steps are described in KB29166583.
Confusingly, this KB29166583 was first published over a month ago on 2024-09-04, and was then subsequently unpublished and republished on 2024-09-18, all without any mention of CVE-2024-43468, which was published only today and which KB29166583 apparently remediates. Defenders should read the available documentation carefully, and then probably read it again for good measure.
RPD RPC: pre-auth RCE
Any RDP Server critical RCE is worth patching quickly. CVE-2024-43582 is a pre-auth critical RCE in the Remote Desktop Protocol Server. Exploitation requires an attacker to send deliberately-malformed packets to a Windows RPC host, and leads to code execution in the context of the RPC service, although what this means in practice may depend on factors including RPC Interface Restriction configuration on the target asset. One silver lining: attack complexity is high, since the attacker must win a race condition to access memory improperly.
Winlogon: zero-day EoP
Who doesn’t love a good elevation of privilege vulnerability? Weary blue teamers who see the words “publicly disclosed” on a brand-new advisory know the answer. CVE-2024-43583 describes a flaw in Winlogon which gets an attacker all the way to SYSTEM via abuse of a third-party Input Method Editor (IME) during the sign-on process. The supplementary KB5046254 article explains that the 2024-10-08 patches disable non-Microsoft IME during the sign-in process. On that basis, outright removal of third-party IME is a mitigation available to anyone who is not able to apply today’s patches immediately.
Attack surface reduction is always worth considering, and removal of third-party IMEs certainly accomplishes that. Anyone who needs to keep a third-party IME can still do so, but once today’s patches are applied, that third-party IME will be disabled — only in the context of the sign-in process — to prevent exploitation of CVE-2024-43583. Although Microsoft doesn’t quite spell it out, the only reasonable interpretation of the available information is that an asset with no first-party/Microsoft IME installed would remain vulnerable after patching, since otherwise no IME would be available when attempting to sign in. Use of third-party IME is more likely to be a concern in mixed-language or non-English-speaking contexts. The disclosure process around this vulnerability may not have been entirely smooth; back in September, one of the researchers credited with the discovery expressed discontent with MSRC via X-formerly-known-as-Twitter.
Hyper-V: zero-day container escape
CVE-2024-20659 describes a publicly-disclosed security feature bypass in Hyper-V. Microsoft describes exploitation as both less likely and highly complex. An attacker must be both lucky and resourceful, since only UEFI-enabled hypervisors with certain unspecified hardware are vulnerable, and exploitation requires coordination of a number of factors followed by a well-timed reboot. All this after first achieving a foothold on the same network — although in this context, this likely means access to a VM on the target hypervisor, rather than some other location on the same subnet. The prize for successful exploitation is compromise of the hypervisor kernel.
MSHTML: zero-day XSS
CVE-2024-43573 is an exploited-in-the-wild spoofing vulnerability in MSHTML for which Microsoft is also aware of functional public exploit code; the advisory lists CWE-79 as the weakness, which translates to cross-site scripting (XSS). The advisory is sparse on further detail, although Windows Server 2012/2012 R2 admins who typically install Security Only updates should note that Microsoft is encouraging installation of the Monthly Rollups to ensure remediation in this case. The low CVSSv3 base score of 6.5 reflects the requirement for user interaction and the lack of impact to integrity or availability; a reasonable assumption might be that exploitation leads to improper disclosure of sensitive data, but no other direct effect on the target asset.
cURL: zero-day RCE
Microsoft is most famous for its closed source products, but has cautiously softened its stance on open source considerably in the past quarter century or so. Windows has included components of cURL for almost seven years at this point, along with various other open source components; Microsoft does patch these from time to time, although not always as quickly as defenders might like. Today’s patches for CVE-2024-6197, a publicly-disclosed RCE vulnerability in cURL, continue that trend.
The Microsoft advisory for CVE-2024-6197 clarifies that Windows does not ship libcurl, only the curl command line, but that’s still vulnerable and thus in scope for a fix. Exploitation requires that the user connect to a malicious server controlled by the attacker, and code execution is presumably in the context of the user launching the curl CLI tool on the Windows asset. The cURL project advisory for CVE-2024-6197 was originally published on 2024-07-24, and offers further detail from their perspective. Interestingly, the cURL project describes the most likely outcome of exploitation as a crash, and does not specifically mention RCE, although it is careful not to exclude the possibility of unspecified “more serious results,” which could well mean RCE. Microsoft rates this vulnerability as important, which is on track with the CVSS base score of 8.8.
Management Console: zero-day RCE
CVE-2024-43572 rounds out today’s five zero-day vulnerabilities, and describes a low-complexity, no-user-interaction RCE in Microsoft Management Console. Microsoft is aware of both public functional exploit code and in-the-wild exploitation. The vulnerability is exploited when a user downloads and opens a specially-crafted malicious Microsoft Saved Console (MSC) file, so there’s no suggestion here that the Management Console is vulnerable via network attack. Today’s patches prevent untrusted MSC files from being opened, although the advisory does not describe how Windows will know what’s trusted and what isn’t. Microsoft has chosen to map CVE-2024-43572 to CWE-70, which is a very broad category, the use of which is explicitly discouraged by MITRE.
VS Code Arduino extension: cloud critical RCE
A third critical RCE patched today is hopefully less concerning than its siblings. CVE-2024-43488 is in the Visual Studio Code extension for Arduino, and Microsoft notes that the vulnerability documented by this CVE requires no customer action to resolve. A reasonable question is: what does “no action required” really mean here? Within the advisory, Microsoft both claims to have fully mitigated the vulnerability, and also that there is no plan to fix the vulnerability. As confusing as that all sounds, perhaps the most important takeaway here is that Microsoft is now issuing cloud service CVEs in a stated effort to improve transparency. It’s not clear when the vulnerability was first introduced or when it was remediated, but nevertheless the recent expansion into a whole new class of CVEs is a welcome step by Microsoft.
SharePoint: EoP to SYSTEM
A sparse advisory for CVE-2024-43503, which is an elevation of privilege vulnerability which leads to SYSTEM. Advisories for similar vulnerabilities typically describe the specific SharePoint privileges required, but this one does not, so a reasonable assumption might be that the requirement here is simply minimal Site Member privileges.
Microsoft is addressing 79 vulnerabilities this September 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for four of the vulnerabilities published today; at time of writing, all four are listed on CISA KEV. Microsoft is also patching four critical remote code execution (RCE) vulnerabilities today. Unusually, Microsoft has not patched any browser vulnerabilities yet this month.
Servicing Stack: Windows 10 1507 rollback zero-day RCE
At first glance, the most concerning of today’s exploited-in-the-wild vulnerabilities is CVE-2024-43491, which describes a pre-auth RCE vulnerability caused by a regression in the Windows Servicing Stack that has rolled back fixes for a number of previous vulnerabilities affecting optional components.
The CVSSv3.1 base score is 9.8, which is typically not good news. However, things aren’t quite as bad as they seem: the key takeaway here is that only Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) is affected. Also, Microsoft notes that while at least some of the accidentally unpatched vulnerabilities were known to be exploited, they haven’t seen in-the-wild exploitation of CVE-2024-43491 itself, and the defect was discovered by Microsoft. All in all, while there are certainly more than a few organizations out there still running Windows 10 1507, most admins can breathe a sigh of relief on this one, and then go back to worrying about everything else.
The Servicing Stack regression described by CVE-2024-43491 was introduced in the March 2024 patches. Those nostalgic few still running Windows 10 1507 should note that patches are required for both Servicing Stack and the regular Windows OS patch released today, and must be applied in that order. Microsoft does not specify which vulnerabilities were accidentally unpatched back in March, although there is a significant list of affected optional components at the end of the FAQ, so potentially the set of vulnerabilities in play is quite long. Given time, an enthusiastic data miner could no doubt come up with a list of likely suspects.
Microsoft does also provide a high-level explanation of what went wrong: the build number of the March 2024 security patch for 1507 triggered a latent code defect in the Servicing Stack, and any optional component which was updated during this time was downgraded to the RTM version. This might sound eerily similar to the Windows OS downgrade attacks disclosed at Black Hat USA 2024 last month, but there’s not obviously any substantial connection between the two. It’s quite likely that someone at Microsoft HQ is carefully reviewing other Windows versions for similar version range-based flaws in the Servicing Stack.
The Mark-of-the-Web (MotW) security feature bypass CVE-2024-38217 is not only known to be exploited, but is also publicly disclosed via an extensive write-up which names the technique "LNK stomping" and highlights that exploitation will typically involve explorer.exe overwriting an existing LNK file. The write-up also links to exploit code on GitHub. Beyond that, the discoverer points to VirusTotal samples going back as far as 2018 to make the case that this has been abused for a very long time indeed.
As is generally the case with MotW bypass vulnerabilities, exploitation occurs when a user downloads and opens a specially-crafted malicious file, which could then bypass the SmartScreen Application Reputation security check and/or the legacy Windows Attachment Services security prompt.
Windows Installer: zero-day EoP
Next up in today’s foursome of exploited-in-the-wild vulnerabilities is CVE-2024-38014: an elevation of privilege vulnerability in Windows Installer. The middling CVSSv3.1 base score of 7.8 lines up with Microsoft’s severity assessment of Important rather than Critical. Exploitation grants code execution as SYSTEM, and although the attack vector is local, this might be at least slightly attractive to malware authors, since both attack complexity and privilege requirements are low, and no user interaction is required.
In this case, CWE-269: Improper Privilege Management presumably describes a means of causing the Windows Installer to be over-generous with the privileged access it requires to install software and configure the OS. All current versions of Windows receive a fix, as well as Server 2008, which Microsoft persists in patching from time to time out of the goodness of its heart, even if the end of official support was almost a year ago now.
Microsoft Publisher: zero-day macro policy bypass
It’s been a little while since we talked about Microsoft Publisher, so today’s publication of CVE-2024-38226 — a local security feature bypass for Office macro policy — gives us a chance to do that. The Preview Pane is not involved, and the description of exploit methodology in the FAQ is welcome, but somewhat unusual: an attacker must not only convince a user to download and open a malicious file, but the attacker must also be authenticated on the system itself, although the FAQ does not explain further.
Moving past those vulnerabilities which are known to be exploited or disclosed already, we see three critical RCE vulns: two in SharePoint, and one in the Windows NAT implementation.
SharePoint: two critical RCEs
Network-vector exploitation of SharePoint RCE CVE-2024-38018 requires that an attacker have Site Member permissions already, but since those aren’t exactly the crown jewels, attack complexity is low, and no user interaction is required, Microsoft very reasonably rates this as Critical on its own proprietary severity scale, and expects that exploitation is more likely.
The second SharePoint critical RCE patched this month is CVE-2024-43464, which describes a deserialization of untrusted data leading to code execution in the context of the SharePoint Server via specially-crafted API calls after uploading a malicious file; one mitigating factor is that the attacker must already have Site Owner permissions or better. This all sounds very similar to CVE-2024-30044, which Rapid7 wrote about back in May 2024.
Windows NAT: critical RCE
Rounding out this month’s critical RCE vulnerabilities is CVE-2024-38119, which describes a use after free flaw in the Windows NAT implementation. Attack vector is listed as adjacent, so an attacker would need an existing foothold on the same network as the target asset before winning a race condition, which bumps up the attack complexity to high. Even though this looks to be pre-auth RCE, Microsoft lists exploitation as less likely. For reasons unknown, Server 2012/2012 R2 does not receive a patch, although all newer supported versions of Windows do.
Exchange: nothing, still?
After a busy couple of months back in March and April 2024, it’s been all quiet on the Exchange front for quite some time, and this month extends that curiously lucky streak.
Microsoft lifecycle update
There are no significant changes to Microsoft product lifecycle during September 2024, although anyone responsible for Azure Database for MySQL - Single Server has until the sunset date of 2024-09-16 to migrate to a supported service to avoid involuntary forced-migration and server unavailability.
As Rapid7 noted last month, Visual Studio for Mac received its last ever patches on 2024-08-31. Also on 2024-08-31, a number of legacy Azure services reached retirement, including Azure Cache for Redis on Cloud Services (Classic).
October will see significant lifecycle changes for Windows 11: release end date for the 21H2 versions of Windows 11 Enterprise and Education, as well as release end date for 22H2 versions for other Windows 11 editions. Fans of legacy software will already know that Server 2012 and 2012 R2 move into year two of the cash-for-updates Extended Security Update program in October.
Microsoft is addressing 88 vulnerabilities this August 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for ten of the vulnerabilities published today, which is significantly more than usual. At time of writing, all six of the known-exploited vulnerabilities patched today are listed on CISA KEV. Microsoft is also patching five critical remote code execution (RCE) vulnerabilities today. 11 browser vulnerabilities have already been published separately this month, and are not included in the total.
Patch Tuesday watchers will know that today’s haul of four publicly-disclosed vulnerabilities and six further exploited-in-the-wild vulnerabilities is a much larger batch than usual. We’ll first address those vulnerabilities where public disclosure exists but no patch is available: the noteworthy Windows OS downgrade attacks disclosed at Black Hat last week. We’ll then examine those vulnerabilities published today which Microsoft knows to be exploited in the wild already, and then take a look at the other publicly-disclosed vulnerabilities published this month.
Windows Update: 50% patched zero-day Downdate attack
First things first: what if your patched Windows asset suddenly wasn’t patched, up to and including the hypervisor? That was the question asked and answered in a Black Hat talk by SafeBreach last week. In response, Microsoft has published two vulnerabilities. Microsoft was first notified of these vulnerabilities back in February 2024, and the advisories concede that the Black Hat talk was “appropriately coordinated with Microsoft.”
CVE-2024-38202 describes an elevation of privilege vulnerability in the Windows Update Stack, and exploitation requires that an attacker convinces an administrative user to perform a system restore — unusual, certainly, but social engineers can accomplish many things. Microsoft optimistically assesses exploitation of this vulnerability as less likely. The advisory does not explain how a user with basic privileges can modify the target asset’s System directory, which is required to plant the malicious system restore files, although the SafeBreach write-up does explain the flaw in significant detail. No patch is yet available, although the advisory states that a security update to mitigate this threat is under development. Microsoft provides several recommended actions, which do not mitigate the vulnerability, but can at least provide additional barriers to exploitation and put in place some useful additional visibility of the attack surface and exploitation attempts. One possible outcome of exploitation is that an attacker could modify the integrity and repair utility so that it will no longer detect corruptions in Windows system files.
CVE-2024-21302 is the second half of the downgrade attack pair discovered by SafeBreach. Exploitation allows an attacker with administrator privileges to replace updated Windows system files with older versions and thus reintroduce vulnerabilities to Virtualization-based security (VBS). Patches are available; however, defenders must note that the patch does not automatically remediate assets, but instead delivers an opt-in Microsoft-signed revocation policy, which brings with it the risk of a boot loop if applied and then improperly reverted. Significant guidance is available under KB5042562: Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates.
Windows WinSock: zero-day EoP
Moving on to known-exploited vulnerabilities: the Windows Ancillary Function Driver for WinSock receives a patch for exploited-in-the-wild elevation of privilege vulnerability CVE-2024-38193. Successful exploitation is via a use-after-free memory management bug, and could lead to SYSTEM privileges. The advisory doesn’t provide further clues, but with existing in-the-wild exploitation, low attack complexity, no user interaction involved, and low privileges required, this is one to patch immediately to keep malware at bay.
Windows Power Dependency Coordinator: zero-day EoP
While we’re looking at exploited-in-the-wild, use-after-free vulnerabilities with minimalist advisories: CVE-2024-38107 also leads to SYSTEM privileges via abuse of the Windows Power Dependency Coordinator, which allows Windows computers to wake almost instantly from sleep. Of course, nothing comes for free: this vulnerability requires no user interaction, has low attack complexity, and requires low privileges. Patch all your Windows assets sooner rather than later.
Windows Kernel: zero-day EoP
Still on the topic of exploited-in-the-wild, elevation-to-SYSTEM vulnerabilities: CVE-2024-38106 requires an attacker to win a race condition which falls under CWE-591: Sensitive Data Storage in Improperly Locked Memory. Although the advisory for CVE-2024-38106 does not provide further detail, a reasonable assumption here might be that the vulnerability could be similar to CVE-2023-36403, where exploitation relies on a flaw in the way the Windows kernel handles locking for registry virtualization, which allows Windows to redirect globally-impactful registry read/write operations to per-user locations to support legacy applications which are not UAC-compatible. Curiously, Windows Server 2012 does not receive a patch for CVE-2024-38106, so either the vulnerability was introduced in a later codebase, or Microsoft is hoping that attackers won’t notice.
Windows SmartScreen: zero-day MotW bypass
CVE-2024-38213 describes a Mark of the Web (MotW) security bypass vulnerability in all current Windows products. An attacker who convinces a user to open a malicious file could bypass SmartScreen, which would normally warn the user about files downloaded from the internet, which Windows would otherwise have tagged with MotW. CVE-2024-38213 likely offers less utility to attackers than a broadly-similar SmartScreen bypass published in February 2024, since unlike today’s offering, the advisory for the previous CVE-2024-21351 also described the potential for code injection into SmartScreen itself. The lower CVSSv3 base score for today's CVE-2024-38213 reflects that difference.
Edge Internet Explorer mode: zero-day EoP
Although Edge RCE vulnerability CVE-2024-38178 is already known to be exploited in the wild, it likely won’t be top of anyone’s list of greatest concerns this month. The advisory clarifies that successful exploitation would require the attacker to not only convince a user to click a malicious link, but also to first prepare the target asset so that it uses Edge in Internet Explorer Mode. IE Mode provides backwards-compatibility functionality so that users can view legacy websites which rely on the fascinating idiosyncrasies of Internet Explorer; such sites are often served by enterprise legacy web applications, which goes a long way to explaining Microsoft’s continued motivation to keep Internet Explorer somewhat alive. If not already enabled on the target asset, the attacker would have to achieve a modification of Edge settings to enable the “Allow sites to be reloaded in Internet Explorer” setting. Subsequent exploitation would involve convincing the user to open an Internet Explorer mode tab within Edge and then opening the malicious URL. Remediation involves patching Windows itself; all current versions of Windows are affected.
Microsoft Project: zero-day RCE
Rounding out this month’s half dozen exploited-in-the-wild vulnerabilities is CVE-2024-38189, which describes RCE in Microsoft Project. Exploitation requires that an attacker convince the user to open a malicious file, and is possible only where the “Block macros from running in Office files from the Internet” policy is disabled — it is enabled by default — and the “VBA Macro Notification Settings” are set to a low enough level. Happily, the Preview Pane is not an attack vector in this case.
Microsoft Office: zero-day spoofing
Published last week to acknowledge its public disclosure, and patched today for all current versions of Office, CVE-2024-38200 describes a spoofing vulnerability. Exploitation requires that the user click a malicious link. Although the advisory doesn’t describe the impact, the weakness is CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, and the FAQ mentions outgoing NTLM traffic; reading between the lines, it’s highly likely that NTLM hashes are exposed upon successful exploitation.
The advisory suggests mitigating factors which may already apply, or which may prove helpful to improve security posture: adding users to the Protected Users Security Group, which prevents the use of NTLM authentication, and blocking outbound SMB connections to port 445. Both of these mitigation measures may break legacy authentication in some scenarios.
Somewhat unusually, Microsoft claims to have fixed this vulnerability twice, since in addition to today’s patches, an alternative fix was enabled via Feature Flighting on 2024-07-30 for all in-support versions of Office and 365. Microsoft still recommends that customers update to the 2024-08-13 patches to receive the final version of the fix. Somewhat confusingly, the FAQ then goes on to say that the Security Updates table will be revised when the update is publicly available; however, it’s likely that Microsoft will update the FAQ in the near future to clarify that a this was a minor FAQ editing oversight rather than a suggestion that further patches are expected.
Windows Line Printer Daemon: zero-day RCE
Line Printer Daemon (LPD) vulnerabilities are like buses: you wait ages for one, and then two come along in quick succession. Last month’s denial of service vulnerability is now joined by CVE-2024-38199, a publicly-disclosed RCE vulnerability. Exploitation requires that an attacker sends a malicious print task to a shared vulnerable Windows Line Printer Daemon service across the network. Many admins won’t need to worry about this vulnerability, since Microsoft has been encouraging everyone to migrate away from LPD for almost a decade, and it isn’t installed by default on Windows products newer than Server 2012. Still, patches are available for Windows Server 2008 SP2, Server 2022 23H2, and everything in between.
SharePoint & Exchange update
As something of an olive branch for defenders who may now be eyeing their to-do list with concern, Microsoft has not published any SharePoint or Exchange vulnerabilities this month.
Microsoft lifecycle update
All versions of Visual Studio for Mac retire on 2024-08-31 and will no longer receive any further updates — including security patches — after that date. The URL seems to anticipate that some people will have questions: https://learn.microsoft.com/en-us/visualstudio/mac/what-happened-to-vs-for-mac. Microsoft suggests the C# Dev Kit for Visual Studio Code as one possible alternative.
It’s June 2024 Patch Tuesday. Microsoft is addressing 51 vulnerabilities today, and has evidence of public disclosure for just a single one of those. At time of writing, none of the vulnerabilities published today are listed on CISA KEV, although this is always subject to change. Microsoft is patching a single critical remote code execution (RCE) vulnerability today. Seven browser vulnerabilities were published separately this month, and are not included in the total.
MSMQ: critical RCE
The sole critical RCE patched today is CVE-2024-30080 for all current versions of Windows. Exploitation requires that an attacker send a specially crafted malicious packet to an MSMQ server, which Patch Tuesday watchers will know as a perennial source of vulnerabilities. As usual, Microsoft points out that the Windows message queuing service is not enabled by default; as usual, Rapid7 notes that a number of applications – including Microsoft Exchange – quietly introduce MSMQ as part of their own installation routine. As is typical of MSMQ RCE vulnerabilities, CVE-2024-30080 receives a high CVSSv3 base score due to the network attack vector, low attack complexity, and lack of required privileges. Code execution is presumably in a SYSTEM context, although the advisory does not specify.
Office: malicious file RCEs
Microsoft Office receives patches for a pair of RCE-via-malicious-file vulnerabilities. CVE-2024-30101 is a vulnerability in Outlook; although the Preview Pane is a vector, the user must subsequently perform unspecified specific actions to trigger the vulnerability and the attacker must win a race condition. On the other hand, CVE-2024-30104 does not have the Preview Pane as a vector, but nevertheless ends up with a slightly higher CVSS base score of 7.8, since exploitation relies solely on the user opening a malicious file.
SharePoint: RCE
This month also brings a patch for SharePoint RCE CVE-2024-30100. The advisory is sparing on details, and the context of code exploitation is not clear. The weakness is described as CWE-426: Untrusted Search Path; many (but not all) vulnerabilities associated with CWE-426 lead to elevation of privilege.
DNSSEC NSEC3: CPU exhaustion DoS
And now for something completely different: CVE-2023-50868, which describes a denial of service vulnerability in DNSSEC. This vulnerability is present in the DNSSEC spec itself, and the CVE was assigned by MITRE on behalf of DNSSEC. Microsoft’s implementation of DNSSEC is thus subject to the same attack as other implementations. An attacker can exhaust CPU resources on a DNSSEC-validating DNS resolver by demanding responses from a DNSSEC-signed zone, if the resolver uses NSEC3 to respond to the request. NSEC3 is designed to provide a safe way for a DNSSEC-validating DNS resolver to indicate that a requested resource does not exist. Under certain circumstances, the DNS resolver must perform thousands of iterations of a hash function to calculate an NSEC3 response, and this is the foundation on which this DoS exploit rests. All current versions of Windows Server receive a patch today.
Typically, when Microsoft publishes a security advisory and describes the vulnerability as publicly disclosed, that public disclosure will have been recent. However, in the case of CVE-2023-50868, the flaw in DNSSEC was first publicly disclosed on 2024-02-13. The advisory acknowledges four academics from the German National Research Centre for Applied Cybersecurity (ATHENE), which is perhaps of interest since these same researchers are authors on a March 2024 academic paper that downplays the DoS potential of CVE-2024-50868. Those same researchers published another DNSSEC flaw CVE-2023-50387 (also known as KeyTrap) in January 2024, which they describe as having potentially serious implications; Microsoft patched that one at the next scheduled opportunity in February. The CVE-2023-50868 advisory published today does not provide further insight as to why this vulnerability wasn’t patched sooner; a reasonable assumption might be that Microsoft assesses CVE-2023-50868 as less urgent/critical than CVE-2023-50387, although both receive a rating of Important on Microsoft’s proprietary severity ranking scale. It’s also possible that Microsoft does not wish to be the only major server OS vendor without a patch.
Lifecycle update
There are no significant changes to the lifecycle phase of Microsoft products this month. In July, Microsoft SQL Server 2014 will move past the end of extended support. From August onwards, Microsoft only guarantees to provide SQL Server 2014 security updates to customers who choose to participate in the paid Extended Security Updates program.
Summary Charts
What goes up must come down and/or is an attacker's privilege level.No spoofing. No security feature bypass. Plenty of elevation of privilege though.
Microsoft is addressing 61 vulnerabilities this May 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for three of the vulnerabilities published today. At time of writing, two of the vulnerabilities patched today are listed on CISA KEV. Microsoft is also patching a single critical remote code execution (RCE) vulnerability today. Six browser vulnerabilities were published separately this month, and are not included in the total.
Windows DWM: zero-day EoP
The first of today’s zero-day vulnerabilities is CVE-2024-30051, an elevation of privilege (EoP) vulnerability in the Windows Desktop Windows Manager (DWM) Core Library which is listed on the CISA KEV list. Successful exploitation grants SYSTEM privileges. First introduced as part of Windows Vista, DWM is responsible for drawing everything on the display of a Windows system.
Reporters Securelist have linked exploitation of CVE-2024-30051 with deployment of QakBot malware, and the vulnerability while investigating a partial proof-of-concept contained within an unusual file originally submitted to VirusTotal by an unknown party. Securelist further notes that the exploitation method for CVE-2024-30051 is identical to a previous DWM zero-day vulnerability CVE-2023-36033, which Microsoft patched back in November 2023.
Courtesy of Microsoft’s recent enhancement of their security advisories to include Common Weakness Enumeration (CWE) data, the mechanism of exploitation is listed as CVE-122: Heap-based Buffer Overflow, which is just the sort of defect which recent US federal government calls for memory safe software development are designed to address.
MSHTML: zero-day security feature bypass
The Windows MSHTML platform receives a patch for CVE-2024-30040, a security feature bypass vulnerability for which Microsoft has evidence of exploitation in the wild, and which CISA has also listed on KEV.
The advisory states that an attacker would have to convince a user to open a malicious file; successful exploitation bypasses COM/OLE protections in Microsoft 365 and Microsoft Office to achieve code execution in the context of the user.
As Rapid7 has previously noted, MSHTML (also known as Trident) is still fully present in Windows — and unpatched assets are thus vulnerable to CVE-2024-30040 — regardless of whether or not a Windows asset has Internet Explorer 11 fully disabled.
Visual Studio: zero-day DoS
Rounding out today’s trio of zero-day vulnerabilities: a denial of service (DoS) vulnerability in Visual Studio.
Microsoft describes CVE-2024-30046 as requiring a highly complex attack to win a race condition through “[the investment of] time in repeated exploitation attempts through sending constant or intermittent data”. Since all data sent anywhere is transmitted either constantly or intermittently, and the rest of the advisory is short on detail, the potential impact of exploitation remains unclear.
Only Visual Studio 2022 receives an update, so older supported versions of Visual Studio are presumably unaffected.
SharePoint: critical post-auth RCE
SharePoint admins are no strangers to patches for critical RCE vulnerabilities. CVE-2024-30044 allows an authenticated attacker with Site Owner permissions or higher to achieve code execution in the context of SharePoint Server via upload of a specially crafted file, followed by specific API calls to trigger deserialization of the file’s parameters.
Microsoft considers exploitation of CVE-2024-30044 more likely, and the low attack complexity and network attack contribute to a relatively high CVSS 3.1 base score of 8.8. The advisory also lists the privileges required vector component as low, which is debatable given the Site Owner authentication requirement for exploitation.
Microsoft Excel receives a patch for CVE-2024-30042. Successful exploitation requires that an attacker convince the user to open a malicious file, which leads to code execution, presumably in the context of the user.
Remote Access Connection Manager: last month’s vulns repatched
Also of interest today: Microsoft is releasing updated patches for three Windows Remote Access Connection Manager information disclosure vulnerabilities originally published in April 2024: CVE-2024-26207, CVE-2024-26217, and CVE-2024-28902. Microsoft states that an unspecified regression introduced by the April patches is resolved by installation of the May patches.
Mobile Broadband driver: 11 local USB RCEs
The Windows Mobile Broadband driver receives patches for no fewer than 11 vulnerabilities; for example, CVE-2024-29997. All 11 vulnerabilities appear very similar based on the advisories. In each case, the relatively low CVSS base score of 6.8 reflects that an attacker must be physically present and insert a malicious USB device into the target host.
Third-party open source patches
Back in 2021, Microsoft started publishing the Assigning CNA (CVE Numbering Authority) field on advisories. A welcome trend of publishing advisories for third-party software included in Microsoft products continues this month with two vulnerabilities in MinGit patched as part of the May 2024 Windows security updates. MinGit is published by GitHub and consumed by Visual Studio. CVE-2024-32002 describes a RCE vulnerability on case-insensitive filesystems that support symlinks — macOS APFS comes to mind — and CVE-2024-32004 describes RCE while cloning specially-crafted local repositories.
Lifecycle update
There are no significant changes to the lifecycle phase of Microsoft products this month.
Summary Charts
Mobile Broadband is this month's winner, albeit for 11 apparently very similar vulns.RCE: the people's champion.The lesser-spotted Tampering impact type makes an appearance this month.
Microsoft is addressing 149 vulnerabilities this April 2024 Patch Tuesday, which is significantly more than usual. For the second month in a row, Microsoft indicated that they aren’t aware of prior public disclosure or exploitation in the wild for any of the vulnerabilities patched today, which means no new additions to CISA KEV at time of writing.
Despite the large number of vulnerabilities published today, Microsoft has ranked only three as critical under its proprietary severity scale. Five browser vulnerabilities were published separately this month, and are not included in the total.
Microsoft is now including two additional data points on advisories: Common Weakness Enumeration (CWE) and Vector String Source assessments.
Defender for IoT: three critical RCEs
Microsoft Defender for IoT receives patches for three critical remote code execution (RCE) vulnerabilities. Microsoft describes Defender for IoT as an Azure-deployable agentless monitoring solution for Internet of Things (IoT) and Operational Technology (OT) devices.
The advisory for CVE-2024-21322 is light on detail, but notes that exploitation requires the attacker to have existing administrative access to the Defender for IoT web application; this limits the attacker value in isolation, although the potential for insider threat or use as part of an exploit chain remains.
CVE-2024-21323 describes an update-based attack and requires prior authentication; an attacker with the ability to control how a Defender for IoT sensor receives updates could cause the sensor device to apply a malicious update package, overwriting arbitrary files on the sensor filesystem via a path traversal weakness.
Exploitation of CVE-2024-29053 allows arbitrary file upload for any authenticated user, also via a path traversal weakness, although the advisory does not specify what the target is other than “the server”.
The Defender for IoT 24.1.3 release notes do not call out these security fixes and describe only improvements to clock drift detection and unspecified stability improvements; this omission highlights the evergreen value of timely patching.
SharePoint: XSS spoofing
SharePoint receives a patch for CVE-2024-26251, a spoofing vulnerability which abuses cross-site scripting (XSS) and affects SharePoint Server 2016, 2019, and Subscription Edition. Exploitation requires multiple conditions to be met, including but not limited to a reliance on user actions, token impersonation, and specific application configuration. On that basis, although Microsoft is in possession of mature exploit code, exploitation is rated less likely.
Excel: arbitrary file execution
Microsoft is patching a single Office vulnerability today. CVE-2024-26257 describes a RCE vulnerability in Excel; exploitation requires that the attacker convinces the user to open a specially-crafted malicious file.
Patches for Windows-based click-to-run (C2R) Office deployments and Microsoft 365 Apps for Enterprise are available immediately. Not for the first time, a patch for Office for Mac is unavailable at time of writing, and will follow at some unspecified point in the future.
SQL Server OLE DB driver: dozens of RCE
The Microsoft OLE DB Driver for SQL Server receives patches for no fewer than 38 separate RCE vulnerabilities today, which might be a record for a single component. The common theme here is that an attacker could trick a user into connecting to a malicious SQL server to achieve code execution in the context of the client.
All quiet on the Exchange front
There are no security patches for Exchange this month.
Microsoft advisory metadata: CWE and Vector String Source
Analysis of CWE trends can help developers reduce future occurrences through improved Software Development Life Cycle (SDLC) workflows and testing, as well as helping defenders understand where to direct defense-in-depth and deployment-hardening efforts for best return on investment. At time of writing, the addition of CWE assessments does not appear to be retroactive.
The Common Vulnerability Scoring System (CVSS) is a widely-used standard for evaluation of vulnerability severity, and Microsoft has helpfully provided CVSS data for each vulnerability for a long time. The CVSS vector describes the variables which comprise the overall CVSS severity score for a vulnerability. The addition of Vector String Source — typically, the entity providing the CVSS assessment on a Microsoft vulnerability will be Microsoft — provides further welcome clarity, at least for vulnerabilities where Microsoft is the CVE Numbering Authority (CNA). It may not be a coincidence that Microsoft is choosing to start explicitly describing the source of the CVSS vector during the ongoing uncertainty around the future of the NVD program.
Lifecycle update
Several Microsoft products move past the end of mainstream support after today:
Azure DevOps Server 2019.
System Center 2019.
Visual Studio 2019.
Additionally, some older products move past the end of extended support, including:
Microsoft Deployment Agent 2013.
Microsoft Diagnostics and Recovery Toolset 8.1.
Visual Studio 2013.
Summary Charts
38 is a big number in this context.Blowout victory for RCE this month.The sheer volume of OLE DB provider for SQL vulns eclipses everything else this month.
