CVE-2024-55414
📋 TL;DR
A vulnerability in Motorola SM56 Modem WDM Driver allows low-privileged users to map physical memory via crafted IOCTL requests. This enables privilege escalation, high-privilege code execution, and information disclosure. Affected users include those running the vulnerable driver version on Windows systems.
💻 Affected Systems
- Motorola SM56 Modem WDM Driver
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with kernel-level code execution, bypassing driver signing policies to deploy persistent malware.
Likely Case
Local privilege escalation from low-privileged user to SYSTEM/administrator, enabling lateral movement and persistence.
If Mitigated
Limited to information disclosure if proper access controls prevent low-privileged users from executing code.
🎯 Exploit Status
Exploitation requires local access and low-privileged user account; IOCTL interface provides direct attack surface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://us.motorola.com/
Restart Required: Yes
Instructions:
1. Check Motorola website for updated driver. 2. Uninstall vulnerable driver version 6.12.23.0. 3. Install patched version if available. 4. Reboot system.
🔧 Temporary Workarounds
Driver Blocking via Group Policy
windowsBlock loading of vulnerable driver using Windows driver block policy.
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DriverSearching" /v "DriverBlockPolicy" /t REG_DWORD /d 1 /f
Add vulnerable driver hash to block list in Device Installation Restrictions policy
Driver Removal
windowsUninstall the vulnerable driver completely.
pnputil /delete-driver oemX.inf /uninstall
sc delete SmSerl64
Remove driver files from system32\drivers
🧯 If You Can't Patch
- Restrict user permissions to prevent low-privileged users from accessing systems with vulnerable driver.
- Monitor for suspicious driver loading events and IOCTL calls to SmSerl64.sys.
🔍 How to Verify
Check if Vulnerable:
Check driver version in Device Manager under Modems > Motorola SM56 Modem properties > Driver tab, or run: driverquery | findstr SmSerl64Check Version:
driverquery /fo csv | findstr SmSerl64Verify Fix Applied:
Verify driver version is not 6.12.23.0 and driver is not loaded (check sc query SmSerl64).📡 Detection & Monitoring
Log Indicators:
- Event ID 7045: Service installation for SmSerl64
- Sysmon Event ID 6: Driver loaded - Image: SmSerl64.sys
- Unusual IOCTL calls to \Device\SmSerl64
Network Indicators:
- Not network exploitable; local privilege escalation only
SIEM Query:
source="*security*" OR source="*sysmon*" (EventCode=7045 AND ServiceName="SmSerl64") OR (EventCode=6 AND Image="*SmSerl64.sys")