CVE-2024-30091

Q: What is the severity of CVE-2024-30091?

CVE-2024-30091 has a CVSS score of 7.8 (HIGH). CVE-2024-30091 is a Win32k elevation of privilege vulnerability in Windows that allows an authenticated attacker to gain SYSTEM-level privileges on a compromised system. This affects Windows operating systems where an attacker already has local access. Successful exploitation requires the attacker to have initial access to the target system.

7.8 HIGH

📋 TL;DR

CVE-2024-30091 is a Win32k elevation of privilege vulnerability in Windows that allows an authenticated attacker to gain SYSTEM-level privileges on a compromised system. This affects Windows operating systems where an attacker already has local access. Successful exploitation requires the attacker to have initial access to the target system.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, and potentially other supported Windows versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected Windows versions are vulnerable. The vulnerability is in the Win32k kernel driver component.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local access can escalate privileges to SYSTEM, enabling complete system compromise, installation of persistent malware, credential theft, and lateral movement across the network.

🟠

Likely Case

Attackers who have already compromised a user account (through phishing, malware, etc.) use this to gain full administrative control of the system for persistence and further attacks.

🟢

If Mitigated

With proper patch management and least privilege principles, the impact is limited as attackers cannot gain initial access or cannot escalate beyond their assigned privileges.

🌐 Internet-Facing: LOW - This vulnerability requires local access and cannot be exploited directly from the internet.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a system (through phishing, malware, etc.), they can use this to escalate privileges and move laterally within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and some technical knowledge of Windows kernel internals. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply the May 2024 security updates from Microsoft (specific KB numbers vary by Windows version)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30091

Restart Required: Yes

Instructions:

1. Open Windows Update settings
2. Check for updates
3. Install all available security updates
4. Restart the system when prompted

🔧 Temporary Workarounds

Restrict local access

windows

Limit who has local login access to systems through group policy and user account controls

Implement least privilege

windows

Ensure users operate with standard user privileges rather than administrative rights

🧯 If You Can't Patch

Implement strict network segmentation to limit lateral movement
Deploy endpoint detection and response (EDR) solutions to detect privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if the May 2024 security updates are installed via Windows Update history or by checking the OS build version

Check Version:

winver

Verify Fix Applied:

Verify the security update is installed in Windows Update history and that the system has been restarted

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4688 (process creation) showing unusual parent-child process relationships
Event ID 4672 (special privileges assigned) for SYSTEM account
Unexpected privilege escalation attempts in security logs

Network Indicators:

Unusual outbound connections from systems after local compromise
Lateral movement attempts to other systems

SIEM Query:

EventID=4688 AND (ParentProcessName="*cmd.exe" OR ParentProcessName="*powershell.exe") AND NewProcessName="*" | where suspicious_parent_child_relationships

📊 Metadata

CVE ID: CVE-2024-30091

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: June 11, 2024

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30091 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30091 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict local access

Implement least privilege

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities