CVE-2024-30051 is a high-severity privilege escalation vulnerability discovered by Kaspersky researchers in April 2024. This article outlines the vulnerability, how it can be exploited, and how to protect your organisation from it and similar threats.
What is CVE-2024-30051?
CVE-2024-30051 is a vulnerability in the Microsoft Windows Desktop Window Manager (DWM) Core Library that allows attackers to gain SYSTEM-level privileges and execute arbitrary code, giving them extensive control over the compromised system.
Which systems are affected?
CVE-2024-30051 impacts a broad range of Windows systems, including:
- Windows 10 (various versions)
- Windows 11 (various versions)
- Windows Server 2016 and later versions
For a precise list of affected product configurations, check out the NIST National Vulnerability Database.
How could bad actors use this security issue?
Attackers have already exploited CVE-2024-30051 in real-world attacks, using it to distribute Qakbot malware via malicious email attachments or compromised websites. Once the malicious code is executed, the vulnerability is used to escalate privileges, allowing deep system access for installing more malware, stealing sensitive data, or taking full control of the system.
How to protect your organisation
The simplest and most obvious method is to apply the latest Windows security updates as soon as they become available. Microsoft released patches addressing CVE-2024-30051 as part of its May 2024 Patch Tuesday updates. Organisations and users are strongly advised to apply these patches immediately to protect their systems from potential exploitation.
To verify if you've been affected by this vulnerability, analyse your logs for suspicious activity. Specifically, look for DLLs loaded from locations outside of system32 by legitimate Windows processes, as this may indicate the CVE-2024-30051 exploit has been used to load a malicious DLL.
Additionally, to mitigate against future vulnerabilities, educate users about the risks of phishing and malware. Qakbot is often spread through email attachments or malicious websites. Educate users about the risks of opening attachments from unknown senders or clicking on suspicious links in emails.
Conclusion
CVE-2024-30051 highlights the importance of cybersecurity awareness and proactive measures as it can be mitigated with organisational cyber awareness and regular patching policies. As always, staying informed about potential vulnerabilities is crucial to mitigating such risks.
Recommended content
If you’d like to learn how to detect this vulnerability in a sandboxed environment, check out our CVE-2024-30051 lab. In this lab, you'll threat hunt through a SIEM system to identify indicators of compromise (IoCs).
Don’t forget you can seek help and collaboration with this lab content in our Help & Support Forum!
Share your thoughts
If CVE-2024-30051 has impacted your organization, we’d love to hear about your steps to mitigate the risk. Do you have any recommendations for preparing for similar vulnerabilities in the future?
Immerser