CVE-2024-38172 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2024-38172?

CVE-2024-38172 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote code execution through specially crafted Excel files. Attackers can exploit this by tricking users into opening malicious documents, potentially gaining full control of affected systems. All users running vulnerable versions of Microsoft Excel are affected.

📋 TL;DR

This vulnerability allows remote code execution through specially crafted Excel files. Attackers can exploit this by tricking users into opening malicious documents, potentially gaining full control of affected systems. All users running vulnerable versions of Microsoft Excel are affected.

💻 Affected Systems

Products:

Microsoft Excel

Versions: Specific versions as listed in Microsoft advisory

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user interaction to open malicious Excel file. Office 365 auto-updates may already have protection.

📦 What is this software?

365 Apps by Microsoft

View all CVEs affecting 365 Apps →

Office Long Term Servicing Channel by Microsoft

View all CVEs affecting Office Long Term Servicing Channel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining administrative privileges, data theft, ransomware deployment, and lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to data exfiltration, malware installation, and persistence mechanisms on individual workstations.

🟢

If Mitigated

Limited impact with proper application sandboxing, macro restrictions, and user education preventing malicious file execution.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires social engineering to deliver malicious file. No known public exploits at time of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Latest security updates from Microsoft

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38172

Restart Required: Yes

Instructions:

1. Open Excel. 2. Go to File > Account > Update Options > Update Now. 3. Install all available updates. 4. Restart computer if prompted.

🔧 Temporary Workarounds

Disable automatic opening of Excel files

windows

Configure Excel to open files in Protected View by default

Set registry key: HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView = 1

Block external Excel files via email

all

Configure email security to block .xls, .xlsx, .xlsm attachments

🧯 If You Can't Patch

Implement application whitelisting to block unauthorized Excel execution
Deploy network segmentation to limit lateral movement from compromised systems

🔍 How to Verify

Check if Vulnerable:

Check Excel version against Microsoft's security update list for CVE-2024-38172

Check Version:

In Excel: File > Account > About Excel

Verify Fix Applied:

Verify Excel version matches or exceeds patched version in Microsoft advisory

📡 Detection & Monitoring

Log Indicators:

Excel crash logs with unusual memory patterns
Windows Event Logs showing unexpected Excel child processes

Network Indicators:

Outbound connections from Excel process to unknown IPs
DNS queries for command and control domains from Excel

SIEM Query:

process_name:"EXCEL.EXE" AND (parent_process!="explorer.exe" OR command_line:"*\AppData\*" OR network_connection_count > 5)

📊 Metadata

CVE ID: CVE-2024-38172

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: August 13, 2024

Last Updated: August 16, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38172 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38172, you might also want to check these: