CVE-2023-24946
📋 TL;DR
This vulnerability in Windows Backup Service allows authenticated attackers to gain SYSTEM-level privileges on affected systems. It affects Windows servers and workstations where the backup service is enabled, potentially allowing attackers to bypass security controls and execute arbitrary code with highest privileges.
💻 Affected Systems
- Windows Backup Service
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement across the network, and data exfiltration.
Likely Case
Local privilege escalation from a standard user account to SYSTEM, allowing attackers to disable security software, modify system configurations, and access sensitive data.
If Mitigated
Limited impact if proper access controls and monitoring are in place, with potential detection of privilege escalation attempts through security logs.
🎯 Exploit Status
Requires authenticated user access and knowledge of the vulnerability. No public exploit code available at time of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 2023 security updates (KB5026361 for Windows 10, KB5026372 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24946
Restart Required: Yes
Instructions:
1. Apply May 2023 Windows security updates through Windows Update. 2. For enterprise environments, deploy updates via WSUS or SCCM. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable Windows Backup Service
windowsTemporarily disable the vulnerable service to prevent exploitation
sc config wbengine start= disabled
sc stop wbengine
Restrict Service Permissions
windowsModify service permissions to prevent unauthorized users from interacting with the service
sc sdset wbengine D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
🧯 If You Can't Patch
- Implement strict access controls and monitor for privilege escalation attempts
- Disable Windows Backup Service if not required for business operations
🔍 How to Verify
Check if Vulnerable:
Check Windows version and patch level. Systems without May 2023 security updates are vulnerable if Windows Backup Service is enabled.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify May 2023 security updates are installed and Windows Backup Service version has been updated.📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with wbengine.exe spawning with SYSTEM privileges from non-privileged accounts
- Unexpected service control operations on wbengine service
Network Indicators:
- No specific network indicators as this is a local privilege escalation
SIEM Query:
EventID=4688 AND NewProcessName="*wbengine.exe" AND SubjectUserName!="SYSTEM" AND SubjectUserName!="LOCAL SERVICE" AND SubjectUserName!="NETWORK SERVICE"