CVE-2024-49095
📋 TL;DR
This vulnerability allows an authenticated attacker to exploit the Windows PrintWorkflowUserSvc service to gain SYSTEM-level privileges on affected Windows systems. It affects Windows workstations and servers where the print workflow service is running. Attackers need local access to exploit this privilege escalation flaw.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full SYSTEM privileges, enabling complete system compromise, lateral movement, persistence establishment, and disabling of security controls.
Likely Case
Local authenticated user elevates to SYSTEM to install malware, steal credentials, or bypass security restrictions on the compromised host.
If Mitigated
With proper access controls and monitoring, impact limited to isolated host with quick detection and remediation.
🎯 Exploit Status
Requires authenticated user access and knowledge of exploitation techniques. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2024 security updates (KB5040442 for Windows 11, KB5040437 for Windows 10, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49095
Restart Required: Yes
Instructions:
1. Apply July 2024 Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS, Microsoft Endpoint Configuration Manager, or Microsoft Intune. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable PrintWorkflowUserSvc Service
windowsDisables the vulnerable service to prevent exploitation (may impact print workflow functionality)
sc config PrintWorkflowUserSvc start= disabled
sc stop PrintWorkflowUserSvc
Restrict Service Permissions
windowsModify service permissions to prevent unauthorized users from interacting with the service
sc sdset PrintWorkflowUserSvc D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
🧯 If You Can't Patch
- Implement strict access controls to limit who can log into affected systems
- Enable Windows Defender Exploit Guard and configure Attack Surface Reduction rules
🔍 How to Verify
Check if Vulnerable:
Check if July 2024 security updates are installed via 'systeminfo' or 'Get-HotFix' commandsCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify KB5040442 (Windows 11) or KB5040437 (Windows 10) is installed and PrintWorkflowUserSvc service is running patched version📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with PrintWorkflowUserSvc parent process spawning unexpected child processes
- Unexpected SYSTEM privilege escalation events
- Service control manager events related to PrintWorkflowUserSvc
Network Indicators:
- No direct network indicators - local privilege escalation
SIEM Query:
EventID=4688 AND ParentProcessName="*PrintWorkflowUserSvc*" AND NewProcessName NOT IN ("svchost.exe", "rundll32.exe")