CVE-2020-24307 – CVE-2020-24307 is a privilege escalation vulner... (How to Fix)

Q: What is the severity of CVE-2020-24307?

CVE-2020-24307 has a CVSS score of 7.8 (HIGH). CVE-2020-24307 is a privilege escalation vulnerability in mRemoteNG v1.76.20 that allows attackers to execute arbitrary code with elevated privileges via a crafted executable file. This affects users running the vulnerable version of mRemoteNG on Windows systems. The vulnerability leverages improper privilege management to bypass security controls.

📋 TL;DR

CVE-2020-24307 is a privilege escalation vulnerability in mRemoteNG v1.76.20 that allows attackers to execute arbitrary code with elevated privileges via a crafted executable file. This affects users running the vulnerable version of mRemoteNG on Windows systems. The vulnerability leverages improper privilege management to bypass security controls.

💻 Affected Systems

Products:

mRemoteNG

Versions: v1.76.20

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects mRemoteNG v1.76.20. Third-party analysis suggests limited reproducibility of the specific BUILTIN\Users:(M) access claim.

📦 What is this software?

Mremoteng by Mremoteng

View all CVEs affecting Mremoteng →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain SYSTEM-level privileges on the affected Windows machine, enabling complete system compromise, data theft, lateral movement, and persistence.

🟠

Likely Case

Local attackers escalate from standard user privileges to administrative privileges, allowing installation of malware, credential harvesting, and further network exploitation.

🟢

If Mitigated

With proper privilege separation and application control policies, impact is limited to the user context without administrative escalation.

🌐 Internet-Facing: LOW - This requires local access or execution of a crafted file on the target system, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Internal attackers with standard user access can exploit this to gain administrative privileges on compromised workstations.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local access and ability to execute a crafted file. Public proof-of-concept code exists on Packet Storm Security and GitHub repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.76.21 and later

Vendor Advisory: https://github.com/mRemoteNG/mRemoteNG/issues/2338

Restart Required: Yes

Instructions:

1. Download latest mRemoteNG version from official repository. 2. Uninstall vulnerable version. 3. Install updated version. 4. Restart system to ensure clean state.

🔧 Temporary Workarounds

Remove vulnerable version

windows

Uninstall mRemoteNG v1.76.20 and replace with alternative remote management tools

Control Panel > Programs > Uninstall a program > Select mRemoteNG > Uninstall

Restrict execution permissions

windows

Apply application control policies to prevent execution of unauthorized binaries

Using Group Policy or Windows Defender Application Control to restrict mRemoteNG execution

🧯 If You Can't Patch

Implement strict least-privilege access controls to limit user permissions
Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check mRemoteNG version in Help > About menu or examine installed programs list for version 1.76.20

Check Version:

wmic product where name="mRemoteNG" get version

Verify Fix Applied:

Verify installed version is 1.76.21 or later in Help > About menu

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing unexpected process creation with elevated privileges
Security logs with privilege escalation events (Event ID 4672, 4688)

Network Indicators:

Unusual outbound connections from mRemoteNG process to unknown destinations

SIEM Query:

source="windows_security" event_id=4672 OR event_id=4688 process_name="mRemoteNG.exe"

📊 Metadata

CVE ID: CVE-2020-24307

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: February 2, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/NyaMeeEain/Infrastructure-Assessment/blob/master/Privilege%20Escalation/Common%20Windows%20Privilege%20Escalation.md Not Applicable
https://github.com/mRemoteNG/mRemoteNG/issues/2338
https://packetstormsecurity.com/files/170794/mRemoteNG-1.76.20-Privilege-Escalation.html Third Party Advisory,VDB Entry
https://github.com/NyaMeeEain/Infrastructure-Assessment/blob/master/Privilege%20Escalation/Common%20Windows%20Privilege%20Escalation.md Not Applicable
https://github.com/mRemoteNG/mRemoteNG/issues/2338
https://packetstormsecurity.com/files/170794/mRemoteNG-1.76.20-Privilege-Escalation.html Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24307, you might also want to check these: