CVE-2024-30033
📋 TL;DR
This vulnerability in Windows Search Service allows an authenticated attacker to execute arbitrary code with SYSTEM privileges, leading to local privilege escalation. It affects Windows systems with the Search service enabled. Attackers must have initial access to the target system.
💻 Affected Systems
- Windows Search Service
📦 What is this software?
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and data exfiltration.
Likely Case
Local privilege escalation from a standard user account to SYSTEM, allowing attackers to bypass security controls and maintain persistence.
If Mitigated
Limited impact if proper access controls, least privilege principles, and network segmentation are implemented.
🎯 Exploit Status
Requires authenticated access and specific conditions to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 2024 security updates (KB5037771 for Windows 11, KB5037768 for Windows 10, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30033
Restart Required: Yes
Instructions:
1. Apply May 2024 Windows security updates via Windows Update. 2. For enterprise environments, deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable Windows Search Service
windowsDisables the vulnerable service but impacts search functionality
sc config WSearch start= disabled
sc stop WSearch
Restrict service permissions
windowsApply stricter ACLs to Windows Search Service
sc sdset WSearch D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
🧯 If You Can't Patch
- Implement strict access controls and least privilege principles to limit initial access
- Monitor for suspicious activity related to Windows Search Service and privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Windows version and if May 2024 security updates are installed. Vulnerable if Windows Search Service is enabled and patches not applied.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify KB5037771 (Windows 11) or KB5037768 (Windows 10) or equivalent May 2024 updates are installed via 'wmic qfe list' or 'Get-Hotfix' in PowerShell.📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with process creation from SearchIndexer.exe with unusual parent processes
- Event ID 4697 with service installation attempts
- Unusual privilege escalation patterns
Network Indicators:
- Unusual outbound connections from systems after local privilege escalation
SIEM Query:
source="windows" (event_id=4688 AND process_name="SearchIndexer.exe" AND parent_process_name!="services.exe") OR (event_id=4697 AND service_name="WSearch")