CVE-2024-30051: A high-severity zero-day in Windows DWM Core Library. Learn about its impact, exploits, and protection steps
Microsoft recently addressed CVE-2024-30051, a critical zero-day vulnerability in the Windows Desktop Window Manager (DWM) Core Library.
Here are the current technical details of this vulnerability, its impact, and the necessary actions to mitigate the risks associated with it.
Affected products: | Windows DWM Core Library |
Product category: | OS Vulnerability |
Severity: | N/A |
Type: | Elevation of Privilege due to a heap-based buffer overflow in the DWM (Desktop Window Manager) core library |
Impact: | Confidentiality (H), Integrity (H), Availability (H) |
PoC: | Yes |
Exploit in the wild | Yes |
CISA Catalog | Yes |
Remediation action | Apply latest Windows security updates |
MITRE advisory |
Uncovered during an investigation into another DWM-related zero-day exploit by researchers at Kaspersky, CVE-2024-30051 is a high-severity elevation of privilege vulnerability affecting the Windows Desktop Window Manager (DWM) Core Library. It is caused by a heap-based buffer overflow within the library, allowing attackers to escalate their privileges to SYSTEM level on vulnerable Windows systems, including Windows 10 and above, as well as Windows Server 2016 and later versions.
Even though the patch became available yesterday (May 15th), Kaspersky’s monitoring uncovered ongoing exploitation of the vulnerability alongside QakBot and other malware, indicating that multiple threat actors had obtained access to the exploit.
CVE-2024-30051 poses a significant risk to users of vulnerable Windows systems. The vulnerability’s impact spans confidentiality, integrity, and availability, with a CVSS:3.1 score of 7.8 (High). However, it requires local access to the system for exploitation, which limits its attack vector. Here are the Product Status specifications:
Product | Platform | Version |
Windows 10 Version 1809 | – 32-bit Systems – x64-based Systems – ARM64-based Systems | – from 10.0.0 before 10.0.17763.5820 |
Windows Server 2019 & 2019 Server Core installation | – x64-based Systems | – from 10.0.0 before 10.0.17763.5820 |
Windows Server 2022 | – x64-based Systems | – from 10.0.0 before 10.0.20348.2461 – from 10.0.0 before 10.0.20348.2458 |
Windows 11 version 21H2 | – x64-based Systems – ARM64-based Systems | from 10.0.0 before 10.0.22000.2960 |
Windows 10 Version 21H2 | – 32-bit Systems – ARM64-based Systems | – from 10.0.0 before 10.0.19044.4412 |
Windows 11 version 22H2 | – ARM64-based Systems – x64-based Systems | – from 10.0.0 before 10.0.22621.3593 |
Windows 10 Version 22H2 | – x64-based Systems – ARM64-based Systems, 32-bit Systems | – from 10.0.0 before 10.0.19045.4412 |
Windows 11 version 22H3 | – ARM64-based Systems | – from 10.0.0 before 10.0.22631.3593 |
Windows 11 Version 23H2 | – x64-based Systems | – from 10.0.0 before 10.0.22631.3593 |
Windows 10 Version 1507 | – 32-bit Systems – x64-based Systems | – from 10.0.0 before 10.0.10240.20651 |
Windows 10 Version 1607 | – 32-bit Systems – x64-based Systems | – from 10.0.0 before 10.0.14393.6981 |
Windows Server 2016 & 2016 Server Core installation | – x64-based Systems | – from 10.0.0 before 10.0.14393.6981 |
Yes, CVE-2024-30051 has been actively exploited in attacks, particularly by threat actors delivering QakBot malware payloads (among others). The exploit allows attackers to gain SYSTEM-level privileges, enabling them to execute arbitrary code and carry out malicious activities without user interaction.
Microsoft has released patches addressing CVE-2024-30051 as part of its recent Patch Tuesday updates. Organizations and users are strongly advised to apply these patches immediately to protect their systems from potential exploitation and mitigate the risks associated with this zero-day vulnerability.
Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: