Login Sign Up

CVE-2024-8975

7.3 HIGH

📋 TL;DR

This vulnerability allows local Windows users to escalate privileges to SYSTEM by exploiting an unquoted search path in Grafana Alloy. It affects Windows installations of Grafana Alloy versions before 1.3.3 and between 1.4.0-rc.0 and 1.4.0-rc.1. Attackers with local access can execute arbitrary code with highest system privileges.

💻 Affected Systems

Products:
  • Grafana Alloy
Versions: Versions before 1.3.3, and versions 1.4.0-rc.0 through 1.4.0-rc.1
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows installations. Linux and other OS versions are not vulnerable. Requires local user access to the system.

📦 What is this software?

Alloy by Grafana

View all CVEs affecting Alloy →

Alloy by Grafana

View all CVEs affecting Alloy →

Alloy by Grafana

View all CVEs affecting Alloy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence installation, and lateral movement across the network.

🟠

Likely Case

Malicious local user or malware escalates to SYSTEM to bypass security controls, install backdoors, or access sensitive system resources.

🟢

If Mitigated

With proper access controls and patching, impact is limited to denial of service if service is restarted, but privilege escalation is prevented.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring existing local access, not remotely exploitable.
🏢 Internal Only: HIGH - Any compromised local account or malware with local execution can exploit this to gain SYSTEM privileges on affected Windows systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access but is straightforward once access is obtained. Unquoted search path vulnerabilities are well-understood and easily weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.4 or 1.4.1

Vendor Advisory: https://grafana.com/security/security-advisories/cve-2024-8975/

Restart Required: Yes

Instructions:

1. Stop Grafana Alloy service. 2. Backup configuration files. 3. Download and install version 1.3.4 or 1.4.1 from official Grafana releases. 4. Restart the service. 5. Verify the new version is running.

🔧 Temporary Workarounds

Restrict local user access

windows

Limit local user accounts and implement least privilege to reduce attack surface

Monitor service execution

windows

Implement application whitelisting and monitor for unauthorized service modifications

🧯 If You Can't Patch

  • Implement strict access controls to prevent unauthorized local users from accessing affected systems
  • Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Grafana Alloy version on Windows systems: if version is <1.3.3 or between 1.4.0-rc.0 and 1.4.0-rc.1, system is vulnerable.

Check Version:

alloy --version

Verify Fix Applied:

Verify Grafana Alloy version is 1.3.4 or 1.4.1 or higher using the version check command.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected service restarts
  • Unauthorized privilege escalation events in Windows Security logs
  • Execution of binaries from unusual paths

Network Indicators:

  • Unusual outbound connections from SYSTEM context following local user activity

SIEM Query:

EventID=4688 AND NewProcessName="*alloy*" AND SubjectUserName!="SYSTEM" AND ParentProcessName="services.exe"

📊 Metadata

CVE ID: CVE-2024-8975
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-428
Published: September 25, 2024
Last Updated: December 26, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8975, you might also want to check these:

CVE-2022-50935 9.8

CVE-2022-50935 is an unquoted service path vulnerability in the Flame II HSPA USB Modem software for...

Same vulnerability type (CWE-428)
CVE-2024-24722 9.1

An unquoted service path vulnerability in 12d Synergy Server and File Replication Server allows atta...

Same vulnerability type (CWE-428)
CVE-2025-36384 8.4

This vulnerability allows a local user with filesystem access to escalate privileges on IBM Db2 for ...

Same vulnerability type (CWE-428)