CVE-2024-33226
📋 TL;DR
This vulnerability in Wistron Corporation's TBT Force Power Control driver allows attackers to escalate privileges and execute arbitrary code by sending crafted IOCTL requests to the Access64.sys component. Attackers with local access can gain SYSTEM-level privileges. Users of Wistron TBT Force Power Control software version 1.0.0.0 are affected.
💻 Affected Systems
- Wistron Corporation TBT Force Power Control
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across networks.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional malware, and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and driver signature enforcement are in place.
🎯 Exploit Status
Exploit code is publicly available; requires local access but no authentication beyond that.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
Check Wistron Corporation's official website or contact vendor for security updates. If no patch is available, implement workarounds.
🔧 Temporary Workarounds
Disable or remove vulnerable driver
windowsUninstall TBT Force Power Control software or disable the Access64.sys driver
sc stop TBTForcePowerControl
sc delete TBTForcePowerControl
Restrict driver loading
windowsUse Windows group policy to block loading of unsigned or specific drivers
🧯 If You Can't Patch
- Implement strict endpoint detection and response (EDR) to monitor for suspicious driver activity
- Apply least privilege principles and restrict local access to vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Check if Access64.sys driver from Wistron TBT Force Power Control v1.0.0.0 is present in system32\drivers directoryCheck Version:
Check software version in Control Panel > Programs and Features or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\Wistron\TBT Force Power ControlVerify Fix Applied:
Verify driver is removed or updated to a patched version; check driver signature status📡 Detection & Monitoring
Log Indicators:
- Event ID 7045: Service installation events for TBTForcePowerControl
- Driver load events for Access64.sys
- Suspicious IOCTL requests to vulnerable driver
Network Indicators:
- Not applicable - local exploitation only
SIEM Query:
EventID=7045 AND ServiceName="TBTForcePowerControl" OR DriverName="Access64.sys"