CVE-2024-43574
📋 TL;DR
This vulnerability in Microsoft Speech API (SAPI) allows remote attackers to execute arbitrary code on affected systems by sending specially crafted requests. It affects systems running vulnerable versions of Windows with SAPI enabled. Successful exploitation could lead to complete system compromise.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, data exfiltration, ransomware deployment, and lateral movement across the network.
Likely Case
Initial foothold for attackers leading to privilege escalation, credential theft, and installation of backdoors or malware.
If Mitigated
Limited impact due to network segmentation, application control policies, and restricted user privileges preventing lateral movement.
🎯 Exploit Status
Microsoft has rated this as 'Exploitation More Likely' in their advisory. The vulnerability requires the attacker to send specially crafted data to the SAPI service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2024 security updates (KB5040442 for Windows 10, KB5040437 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43574
Restart Required: Yes
Instructions:
1. Apply the July 2024 Windows security updates from Windows Update. 2. For enterprise environments, deploy updates via WSUS, SCCM, or Intune. 3. Restart systems after patch installation.
🔧 Temporary Workarounds
Disable SAPI service
windowsDisable the Microsoft Speech API service to prevent exploitation
sc config "SpeechService" start= disabled
sc stop "SpeechService"
Block SAPI network ports
windowsBlock network access to SAPI service ports using firewall rules
netsh advfirewall firewall add rule name="Block SAPI" dir=in action=block protocol=TCP localport=1024-65535 program="%SystemRoot%\System32\Speech\SpeechService.exe"
netsh advfirewall firewall add rule name="Block SAPI UDP" dir=in action=block protocol=UDP localport=1024-65535 program="%SystemRoot%\System32\Speech\SpeechService.exe"
🧯 If You Can't Patch
- Implement network segmentation to isolate systems with SAPI enabled
- Apply strict application control policies to prevent unauthorized code execution
🔍 How to Verify
Check if Vulnerable:
Check if July 2024 security updates are installed via 'wmic qfe list' or 'systeminfo' commandCheck Version:
wmic service where "name='SpeechService'" get name,pathname,startmode,stateVerify Fix Applied:
Verify KB5040442 (Windows 10) or KB5040437 (Windows 11) is installed and SpeechService is running version 10.0.19041.4651 or later📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with SpeechService.exe parent process
- Unusual network connections to SpeechService.exe
- Failed SpeechService authentication attempts
Network Indicators:
- Unusual traffic to/from SpeechService.exe on non-standard ports
- Suspicious SAPI protocol requests
SIEM Query:
source="windows" (event_id=4688 AND process_name="SpeechService.exe") OR (event_id=4625 AND process_name="SpeechService.exe")