CVE-2024-43479
📋 TL;DR
This vulnerability allows remote code execution in Microsoft Power Automate Desktop, enabling attackers to execute arbitrary code on affected systems. It affects organizations using Power Automate Desktop for automation workflows. Attackers could potentially gain full control of systems running vulnerable versions.
💻 Affected Systems
- Microsoft Power Automate Desktop
📦 What is this software?
Power Automate by Microsoft
Power Automate by Microsoft
Power Automate by Microsoft
Power Automate by Microsoft
Power Automate by Microsoft
Power Automate by Microsoft
Power Automate by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attacker to install malware, steal data, pivot to other systems, and maintain persistent access.
Likely Case
Attacker gains initial foothold in network, executes malicious payloads, and escalates privileges to access sensitive data.
If Mitigated
Limited impact due to network segmentation, least privilege access, and monitoring preventing lateral movement.
🎯 Exploit Status
Exploitation requires specific conditions and may involve social engineering or initial access through other vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2024 security update for Power Automate Desktop
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43479
Restart Required: Yes
Instructions:
1. Open Power Automate Desktop
2. Navigate to Settings > Updates
3. Install the July 2024 security update
4. Restart the application and affected systems
🔧 Temporary Workarounds
Disable Power Automate Desktop
windowsTemporarily disable Power Automate Desktop if not critically needed
Stop-Service -Name "Power Automate Desktop Service"
Set-Service -Name "Power Automate Desktop Service" -StartupType Disabled
Network Segmentation
allIsolate systems running Power Automate Desktop from critical networks
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Power Automate Desktop systems
- Apply principle of least privilege and monitor for suspicious Power Automate Desktop activity
🔍 How to Verify
Check if Vulnerable:
Check Power Automate Desktop version in Settings > About. If version is prior to July 2024 update, system is vulnerable.Check Version:
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object {$_.DisplayName -like "*Power Automate Desktop*"} | Select-Object DisplayName, DisplayVersionVerify Fix Applied:
Verify Power Automate Desktop version shows July 2024 or later update installed in Settings > About.📡 Detection & Monitoring
Log Indicators:
- Unusual Power Automate Desktop process execution patterns
- Suspicious command execution via Power Automate Desktop
- Failed authentication attempts to Power Automate Desktop services
Network Indicators:
- Unexpected outbound connections from Power Automate Desktop systems
- Anomalous network traffic to/from Power Automate Desktop ports
SIEM Query:
source="PowerAutomateDesktop" AND (event_type="process_execution" OR event_type="remote_execution")