CVE-2023-24860 – CVE-2023-24860 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-24860?

CVE-2023-24860 has a CVSS score of 7.5 (HIGH). CVE-2023-24860 is a denial-of-service vulnerability in Microsoft Defender that allows attackers to crash the antimalware service, temporarily disabling protection. This affects Windows systems running vulnerable versions of Microsoft Defender. The vulnerability requires local access to the system.

📋 TL;DR

CVE-2023-24860 is a denial-of-service vulnerability in Microsoft Defender that allows attackers to crash the antimalware service, temporarily disabling protection. This affects Windows systems running vulnerable versions of Microsoft Defender. The vulnerability requires local access to the system.

💻 Affected Systems

Products:

Microsoft Defender Antivirus
Microsoft Defender for Endpoint

Versions: Multiple Windows versions prior to March 2023 updates

Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations; requires local system access to exploit.

📦 What is this software?

Malware Protection Engine by Microsoft

View all CVEs affecting Malware Protection Engine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of Microsoft Defender protection, leaving the system vulnerable to malware and other attacks until service restart.

🟠

Likely Case

Temporary denial of service of Microsoft Defender antimalware service, requiring manual service restart to restore protection.

🟢

If Mitigated

Minimal impact with proper patching and monitoring; service automatically restarts but leaves brief protection gap.

🌐 Internet-Facing: LOW - Requires local system access, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Malicious insiders or compromised accounts could exploit to disable endpoint protection.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local access; proof-of-concept code has been published.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: March 2023 security updates (KB5023696, KB5023697, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24860

Restart Required: Yes

Instructions:

1. Apply March 2023 Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS, Microsoft Endpoint Configuration Manager, or Microsoft Intune. 3. Restart systems to complete installation.

🔧 Temporary Workarounds

Restrict local access

windows

Limit local user privileges and implement least privilege access controls

Monitor Defender service

windows

Implement monitoring for Microsoft Defender service crashes and automatic restart

🧯 If You Can't Patch

Implement strict access controls to limit who has local system access
Deploy additional endpoint protection layers and monitor for Defender service disruptions

🔍 How to Verify

Check if Vulnerable:

Check Windows Update history for March 2023 security updates; verify Microsoft Defender version is 1.381.2140.0 or later

Check Version:

Get-MpComputerStatus | Select-Object AMProductVersion

Verify Fix Applied:

Verify March 2023 security updates are installed and Microsoft Defender service is running normally

📡 Detection & Monitoring

Log Indicators:

Event ID 1000 from MsMpEng.exe crashes in Application logs
Unexpected Microsoft Defender service stops

Network Indicators:

Unusual local process activity attempting to interact with Defender service

SIEM Query:

EventID=1000 AND Source="Application Error" AND ProcessName="MsMpEng.exe"

📊 Metadata

CVE ID: CVE-2023-24860

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: April 11, 2023

Last Updated: February 28, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24860 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24860 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24860, you might also want to check these: