1. What is this vulnerability and why does it matter?

This vulnerability, identified as CVE-2024-20692, is a Microsoft Local Security Authority Subsystem Service (LSASS) Information Disclosure Vulnerability. LSASS is a fundamental Windows component responsible for enforcing security policies, handling user authentication, and managing access tokens. This vulnerability matters significantly because its successful exploitation could allow an authenticated attacker to extract sensitive authentication data, including credentials, security tokens, password hashes, and NTLM credentials, from the LSASS process. Such information could enable lateral movement or privilege escalation within compromised environments, severely impacting confidentiality.

2. What are the CVSS score, severity level, and disclosure details?

The CVSS v3.1 base score for CVE-2024-20692 is 5.7, which categorizes it as a Medium severity vulnerability. The vulnerability was published to the National Vulnerability Database (NVD) on January 9, 2024. The NVD record was last modified on May 3, 2025.

3. Which products, vendors, systems, and versions are affected?

The affected vendor is Microsoft. The vulnerability impacts the Local Security Authority Subsystem Service (LSASS) across various versions of Microsoft Windows and Windows Server. Affected versions include:

• Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
• Microsoft Windows 11 (versions 21H2, 22H2, 23H2)
• Microsoft Windows Server 2008 SP2
• Microsoft Windows Server 2012 and 2012 R2
• Microsoft Windows Server 2016
• Microsoft Windows Server 2019
• Microsoft Windows Server 2022 and 2022 23H2

4. What is the technical root cause and attack vector?

The technical root cause of CVE-2024-20692 is classified under two Common Weakness Enumerations (CWEs): CWE-326 (Inadequate Encryption Strength) and CWE-668 (Exposure of Resource to Wrong Sphere). This indicates that the LSASS component either uses cryptographic methods that do not provide sufficient protection against modern attack techniques, or it improperly exposes sensitive resources to unauthorized entities. The attack vector is Network. Exploitation requires an authenticated user with network access to the target system.

5. How can this vulnerability be exploited?

To exploit this vulnerability, an attacker must have authenticated access to the target system via the network. Additionally, user interaction is required, meaning the attacker must trick a user into performing specific actions to trigger the information disclosure. The exploitation scenario involves leveraging weaknesses in LSASS data handling to access confidential information that is processed or stored within the LSASS process. This can include highly sensitive authentication material such as password hashes, Kerberos tickets, and NTLM credentials. The attack complexity is considered low once the necessary authenticated access and user interaction prerequisites are met. As of the available information, there are no known public exploits or proof-of-concept code for this vulnerability.

6. What mitigation steps and patches are available?

Microsoft has released security updates as part of its January 2024 Patch Tuesday release cycle to address CVE-2024-20692. Organizations should apply these updates immediately to all affected Windows systems. In addition to patching, recommended mitigation steps include:

• Prioritizing the patching of domain controllers and other critical authentication infrastructure.
• Enabling Windows Defender Credential Guard on supported systems to provide additional protection for credentials stored in LSASS by isolating it within a virtualization-based security container.
• Reviewing and restricting network access to sensitive systems to minimize potential exposure.
• Enabling Protected Process Light (PPL) for LSASS to detect and prevent unauthorized memory access attempts.
• Limiting the number of users with local administrator privileges to reduce the overall attack surface.

7. How can vulnerable systems be detected?

Detection of vulnerable systems and potential exploitation can be achieved through several strategies:

• Enable and monitor Windows Security Event logs for Event IDs related to credential access and LSASS operations, such as Event IDs 4624 (account logon), 4625 (account logon failure), 4648 (a logon was attempted using explicit credentials), 4768 (Kerberos authentication ticket granted), and 4769 (Kerberos service ticket granted).
• Deploy endpoint detection rules to identify processes attempting to read LSASS memory outside of normal system operations.
• Implement behavioral analytics to detect anomalous patterns in authentication data access.
• Configure Windows Defender Credential Guard alerts to be notified of attempted credential theft activities.
• Enable Protected Process Light (PPL) for LSASS to strengthen its protection against unauthorized memory access.
• Implement audit policies for detailed security event logging concerning credential management and authentication events.
• Establish baselines for normal LSASS activity to facilitate anomaly detection.

8. What are the indicators of compromise (IOCs)?

Indicators of Compromise (IOCs) for CVE-2024-20692 exploitation could include:

• Unusual process access attempts targeting the lsass.exe process from non-standard processes or user contexts.
• Anomalous authentication patterns or credential access attempts that correlate with suspicious user activity.
• Unexpected memory read operations against the LSASS process space.
• Security event logs showing repeated authentication or credential enumeration activities originating from single accounts, which might suggest an attacker is attempting to gather credentials.

9. Which threat actors are known to exploit this vulnerability?

As of the available information, there are no specific threat actors publicly known to be actively exploiting CVE-2024-20692. The vulnerability was published in January 2024, and no public exploits or proof-of-concept code have been reported.

10. What public intelligence references and advisories exist?

Key public intelligence references and advisories for CVE-2024-20692 include:

• The National Vulnerability Database (NVD) entry for CVE-2024-20692, which provides detailed technical information and CVSS scoring (nvd.nist.gov/vuln/detail/CVE-2024-20692).
• The Microsoft Security Update Guide for CVE-2024-20692, which provides official vendor information and patch details (msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20692).
• The GitHub Advisory Database also lists this CVE, referencing the NVD and Microsoft advisories.

11. What is the risk assessment and urgency level?

The risk assessment for CVE-2024-20692 is medium, based on its CVSS v3.1 score of 5.7. While it requires authenticated access and user interaction, the potential impact of successful exploitation is high confidentiality loss, as it can lead to the disclosure of sensitive authentication data. This data can then be used for further attacks, such as lateral movement or privilege escalation within an organization's network. The urgency level is moderate. The Exploit Prediction Scoring System (EPSS) indicates a 1.07% probability of exploitation, placing it in the 77th percentile, suggesting a moderate likelihood of real-world exploitation attempts. Given that LSASS handles critical authentication information, immediate application of the January 2024 security updates is strongly advised, especially for critical systems like domain controllers, to prevent potential compromise of user credentials and subsequent broader network impact.