CVE-2024-27674 – CVE-2024-27674 is a privilege escalation vulner... (How to Fix)

📋 TL;DR

CVE-2024-27674 is a privilege escalation vulnerability in Macro Expert software where unprivileged users can replace the MacroService.exe binary due to overly permissive folder permissions. This allows local attackers to escalate privileges to SYSTEM level. All users running Macro Expert through version 4.9.4 on Windows systems are affected.

💻 Affected Systems

Products:

Macro Expert

Versions: through 4.9.4

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installation due to insecure folder permissions on the Macro Expert installation directory.

📦 What is this software?

Macro Expert by Macro Expert

View all CVEs affecting Macro Expert →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full SYSTEM privileges, enabling complete system compromise, persistence, credential theft, and lateral movement.

🟠

Likely Case

Malicious insider or compromised user account escalates to SYSTEM to install malware, backdoors, or steal sensitive data.

🟢

If Mitigated

Attack fails due to proper access controls, user privilege restrictions, or security monitoring detecting unauthorized file modifications.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring initial access to the system.

🏢 Internal Only: HIGH - Internal users or compromised accounts can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access but is straightforward - simply replacing the binary with malicious code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.macro-expert.com/

Restart Required: No

Instructions:

1. Check vendor website for updates
2. Install latest version if available
3. Verify folder permissions are corrected

🔧 Temporary Workarounds

Restrict Macro Expert Folder Permissions

windows

Remove BUILTIN\Users write permissions from the Macro Expert installation folder

icacls "%PROGRAMFILES(X86)%\GrassSoft\Macro Expert" /remove "BUILTIN\Users" /T

Disable Macro Expert Service

windows

Stop and disable the MacroService to prevent execution of replaced binaries

sc stop MacroService
sc config MacroService start= disabled

🧯 If You Can't Patch

Uninstall Macro Expert if not required
Implement strict access controls and monitoring on the installation folder

🔍 How to Verify

Check if Vulnerable:

Check folder permissions: icacls "%PROGRAMFILES(X86)%\GrassSoft\Macro Expert" | findstr "BUILTIN\\Users.*M"

Check Version:

Check Macro Expert version in Help > About or program files properties

Verify Fix Applied:

Verify BUILTIN\Users no longer has Modify (M) permissions on the folder

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4663 (File system access) showing unauthorized writes to Macro Expert folder
Sysmon Event ID 11 (FileCreate) targeting MacroService.exe

Network Indicators:

None - local exploitation only

SIEM Query:

source="Windows Security" EventID=4663 ObjectName="*Macro Expert*" AccessMask="0x2" OR source="Sysmon" EventID=11 TargetImage="*MacroService.exe*"

📊 Metadata

CVE ID: CVE-2024-27674

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-276

Published: April 3, 2024

Last Updated: January 30, 2026

🔗 References

https://github.com/Alaatk/CVE-2024-27674/tree/main Third Party Advisory
https://www.macro-expert.com/ Product
https://github.com/Alaatk/CVE-2024-27674/tree/main Third Party Advisory
https://www.macro-expert.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27674, you might also want to check these: