Vulnerability in Windows is being actively exploited
Not only Windows 10 and 11 are vulnerable, but also Windows Server 2016, 2019 and 2022. Hackers exploit the zero-day vulnerability to gain system rights.
On Tuesday, Microsoft released a patch for a zero-day vulnerability in Windows that is already being actively exploited to spread malware. The vulnerability is registered as CVE-2024-30051 and allows an attacker with local access to gain system rights. Only low privileges are required in advance. The complexity of the attack is classified as low.
The vulnerability is based on a buffer overflow in the core library of the Desktop Window Manager (DWM) - a window manager introduced with Windows Vista. Windows 10 and 11 as well as Windows Server 2016, 2019 and 2022 are vulnerable. Patches have been available for all affected systems since May 14 and should be installed promptly in view of the active exploitation.
Discovered in an upload on Virustotal
CVE-2024-30051 was discovered by security researchers at Kaspersky while investigating another vulnerability registered as CVE-2023-36033 in early April. The latter is also a zero-day vulnerability in the DWM core library that allows privilege escalation and was discovered and patched in 2023.
During their investigations, the researchers said they became aware of a file uploaded to Virustotal on April 1. It contained a brief description of a security vulnerability in DWM, including an explanation of how it could be exploited to gain system privileges. The procedure was similar to the one used to exploit CVE-2023-36033, but the vulnerability was different.
The research team immediately informed Microsoft of its discovery, according to the Kaspersky report. The team then began searching for available exploits and attacks. The researchers then found what they were looking for in mid-April: "We have seen the vulnerability being used in conjunction with Qakbot and other malware and believe that multiple threat actors have access to it," the researchers said.
Qakbot is a malware that integrates infected systems into a botnet and misuses them for ransomware attacks, among other things. The FBI announced the successful dismantling of the Qakbot infrastructure in August 2023. However, it later emerged that the people behind it had apparently not been caught. In October 2023, security researchers from Cisco Talos discovered a new attack campaign that was linked to the Qakbot actors.
Kaspersky is still holding back on technical details about CVE-2024-30051. The research team wants to give users time to patch their Windows systems first, they say.