CVE-2024-28904
📋 TL;DR
This vulnerability allows an authenticated attacker to exploit the Microsoft Brokering File System to gain SYSTEM-level privileges on Windows systems. It affects Windows 10, 11, and Windows Server versions where an attacker already has local access with standard user permissions.
💻 Affected Systems
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, disabling security controls, and persistence mechanisms.
Likely Case
Local privilege escalation from standard user to SYSTEM, allowing attackers to bypass security restrictions, access sensitive system files, and install additional payloads.
If Mitigated
Limited impact if proper access controls, least privilege principles, and endpoint protection are in place; attacker still gains elevated privileges but may be detected.
🎯 Exploit Status
Requires local authenticated access; exploitation involves manipulating the Brokering File System component.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: April 2024 security updates (KB5036893 for Windows 10, KB5036892 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28904
Restart Required: Yes
Instructions:
1. Apply April 2024 security updates via Windows Update. 2. For enterprise: Deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Verify installation via 'winver' command showing April 2024 updates.
🔧 Temporary Workarounds
Restrict local user access
windowsLimit local user accounts and enforce least privilege to reduce attack surface.
🧯 If You Can't Patch
- Implement strict access controls and monitor for privilege escalation attempts.
- Use application whitelisting and endpoint detection to block suspicious activities.
🔍 How to Verify
Check if Vulnerable:
Check if April 2024 security updates are not installed via 'systeminfo' or Windows Update history.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify 'winver' shows April 2024 updates installed or check KB5036893/KB5036892 in installed updates.📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 (process creation) with SYSTEM privileges from non-admin users
- Suspicious access to Brokering File System components
Network Indicators:
- Not network exploitable; focus on local system behavior
SIEM Query:
EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1936"