CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-11859

High Severity
SVRS
40/100
CVSSv3
NA/10
EPSS
0.00027/1

CVE-2024-11859 is a DLL Search Order Hijacking vulnerability. This flaw could let a local attacker with administrative rights inject and run arbitrary code by loading a malicious DLL. With an SVRS of 40, it doesn't represent an immediate critical threat, but it should still be addressed. The vulnerability (CVE-2024-11859) allows an attacker to execute arbitrary code on a vulnerable system, potentially leading to system compromise. This vulnerability can be exploited if the attacker can place a malicious DLL in a location that the application searches before the legitimate DLL. Even with the necessity of admin rights to exploit, this vulnerability presents a significant security risk. While the CVSS score is 0, indicating no immediate risk, the SVRS of 40 indicates this should not be ignored and should be mitigated.

TAGS
In The Wild
VECTOR STRING
PUBLICATION DATE2025-04-07
LAST MODIFIED2025-04-16
Eye Icon
SOCRadar
AI Insight

Description

CVE-2024-11859 is a DLL Search Order Hijacking vulnerability. It could allow an attacker with administrator privileges to load a malicious dynamic-link library (DLL) and execute arbitrary code. The SOCRadar Vulnerability Risk Score (SVRS) is 30, which, while not critical (above 80), indicates a vulnerability that should still be addressed. However, despite the low SVRS score, the "In The Wild" tag indicates that the vulnerability is being actively exploited by hackers.

Key Insights

  1. Privilege Escalation: The vulnerability allows an attacker, who already has gained administrator access, to potentially execute arbitrary code. This is a significant security risk, as it can lead to complete system compromise.
  2. DLL Hijacking: DLL hijacking occurs when an application incorrectly searches for DLLs, allowing an attacker to introduce a malicious DLL that the application loads and executes.
  3. Exploitation In the Wild: The "In The Wild" tag clearly signifies that this vulnerability is currently being used by attackers. This significantly increases the risk even with a low SVRS.
  4. CWE-427 (Uncontrolled Search Path Element): This indicates that the application does not properly control the locations from which it loads DLLs, creating an opportunity for attackers to inject malicious DLLs.

Mitigation Strategies

  1. Implement Secure DLL Loading Practices: Developers should implement secure DLL loading practices, such as specifying the full path to DLLs and using the SetDllDirectory function to control the DLL search path.
  2. Principle of Least Privilege: Minimize the number of users with administrative privileges. This reduces the attack surface for DLL hijacking attacks.
  3. Regular Security Audits and Penetration Testing: Conduct regular security audits and penetration testing to identify and address DLL hijacking vulnerabilities in applications. Focus on identifying processes with elevated privileges that might be susceptible to DLL hijacking.
  4. Monitor for Suspicious DLL Activity: Implement security monitoring to detect and respond to suspicious DLL loading activity, such as DLLs being loaded from unexpected locations or DLLs with known malicious hashes.

Additional Information

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

⚡ Weekly Recap: Windows 0-Day, VPN Exploits, Weaponized AI, Hijacked Antivirus and More - The Hacker News
2025-04-14
⚡ Weekly Recap: Windows 0-Day, VPN Exploits, Weaponized AI, Hijacked Antivirus and More - The Hacker News | News Content: Attackers aren't waiting for patches anymore — they are breaking in before defenses are ready. Trusted security tools are being hijacked to deliver malware. Even after a breach is detected and patched, some attackers stay hidden. This week's events show a hard truth: it's not enough to react after an attack. You have to assume that any system you trust today could fail tomorrow. In a world where AI tools can be used against you and ransomware hits faster than
google.com
rss
forum
news
ToddyCat Hackers Exploit ESET Vulnerability to Deploy Stealth Malware TCESB
Shivani Tiwari ([email protected])2025-04-11
ToddyCat Hackers Exploit ESET Vulnerability to Deploy Stealth Malware TCESB |  A cyber-espionage group known as ToddyCat, believed to have ties to China, has been observed exploiting a security flaw in ESET’s software to deliver a new and previously undocumented malware strain called
blogger.com
rss
forum
news
ToddyCat Hackers Exploit ESET Flaw to Launch Stealthy TCESB Attack
Aminu Abdullahi2025-04-10
ToddyCat Hackers Exploit ESET Flaw to Launch Stealthy TCESB Attack | ToddyCat hackers exploit ESET flaw (CVE-2024-11859) to deploy stealthy TCESB malware using DLL hijacking and a vulnerable Dell driver. The post ToddyCat Hackers Exploit ESET Flaw to Launch Stealthy TCESB Attack appeared first on eSecurity Planet.A cybercriminal group linked to a series of attacks across Asia has been exploiting a security vulnerability in
esecurityplanet.com
rss
forum
news
New TCESB Malware Found in Active Attacks Exploiting ESET Security Scanner
Ajit Jasrotia2025-04-09
New TCESB Malware Found in Active Attacks Exploiting ESET Security Scanner | A Chinese-affiliated threat actor known for its cyber-attacks in Asia has been observed exploiting a security flaw in security software from ESET to deliver a previously undocumented malware codenamed TCESB. “Previously unseen in ToddyCat attacks, [TCESB] is designed to stealthily execute payloads in circumvention of protection and monitoring tools installed on the device,” Kaspersky said […] The post New TCESB Malware Found in Active Attacks Exploiting ESET Security Scanner
allhackernews.com
rss
forum
news
Flaw in ESET Security Software Used to Spread Malware From ToddyCat Group - Hstoday
2025-04-09
Flaw in ESET Security Software Used to Spread Malware From ToddyCat Group - Hstoday | News Content: Researchers have discovered that suspected state-backed hackers could exploit a vulnerability in software from cybersecurity firm ESET to secretly infect targeted devices with malicious code. The vulnerability, tracked as CVE-2024-11859, allows attackers to plant a malicious dynamic-link library (DLL) and execute it through the ESET antivirus scanner, according to a report by the Russian cybersecurity firm Kaspersky. The malicious code runs in the background, bypassing system alerts and remaining undetected. Slovakia-based ESET confirmed the flaw in an advisory last week
google.com
rss
forum
news
Chinese ToddyCat abuses ESET antivirus bug for malicious activities - csoonline.com
2025-04-08
Chinese ToddyCat abuses ESET antivirus bug for malicious activities - csoonline.com | News Content: The DLL search order hijacking vulnerability allows attackers to trick Windows into executing malicious DLLs. Credit: Shutterstock China-backed APT group ToddyCat has been found exploiting a medium-severity vulnerability in ESET antivirus software to sneak malicious code onto vulnerable systems. Tracked as CVE-2024-11859, the flaw is a dynamic link library (DLL) search order hijacking vulnerability discovered and reported by Kaspersky last year, with a fix issued by ESET in January. “On systems with an affected ESET product installed, an attacker could plant a malicious dynamic
google.com
rss
forum
news
New ToddyCat attacks involve ESET software vulnerability exploit - SC Media
2025-04-08
New ToddyCat attacks involve ESET software vulnerability exploit - SC Media | News Content: April 8, 2025 Attacks exploiting a medium-severity ESET antivirus scanner vulnerability, tracked as CVE-2024-11859, have been conducted by the advanced persistent threat operation ToddyCat to facilitate clandestine malware compromise, according to The Record, a news site by cybersecurity firm Recorded Future. ToddyCat had leveraged the flaw to load a new DLL-masquerading TCDSB tool which is based on the EDRSandBlast tool into ESET security software to enable payload execution without being detected by security and monitoring systems, a report from Kaspersky showed. TCDSB was noted
google.com
rss
forum
news

Social Media

⚡ New Malware Alert! Chinese-linked ToddyCat exploited an ESET flaw (CVE-2024-11859) to drop new malware TCESB bypassing defenses and hijacking devices. Update now | Stay alert. https://t.co/qm3HYNp4xc
0
0
0
Actively exploited CVE : CVE-2024-11859
1
0
0
ESET, la faille CVE-2024-11859 pourrait permettre un contournement des politiques de Sécurité. Notamment dans NOD32. https://t.co/YhptPQkwP1
0
0
0
CVE-2024-11859 #ESET #ToddyCat https://t.co/JEtRrmDLLg
0
0
0
A new malware strain dubbed TCESB is being actively used in attacks by the ToddyCat APT group. It exploits a vulnerability in ESET’s Command Line Scanner (CVE-2024-11859) using DLL search order hijacking. https://t.co/ZDDi4oV1ih
0
0
0
A new malware strain dubbed TCESB is being actively used in attacks by the ToddyCat APT group. It exploits a vulnerability in ESET’s Command Line Scanner (CVE-2024-11859) using DLL search order hijacking. https://t.co/aK4WVqB9Ej
0
0
0
Yikes! Chinese-linked hackers (ToddyCat) are now exploiting an ESET flaw (CVE-2024-11859) to drop new malware, TCESB. It hijacks DLLs & uses vulnerable Dell drivers to bypass security. Stay patched, folks! #CyberSecurity #Malware #Hacking #ESET #ThreatIntel
0
0
0
A new malware, TCESB, delivered by the Chinese-linked ToddyCat, exploits a flaw in ESET software, bypassing defenses via DLL hijacking. ESET has patched the vulnerability (CVE-2024-11859). 🚨 #ESET #China #Malware link: https://t.co/Jz2lW3vNd6 https://t.co/VIBJxY0wmO
0
0
0
Chinese-linked APT group ToddyCat is behind it. They exploit CVE-2024-11859 by sideloading a fake version.dll via DLL hijacking - bypassing defenses and loading malicious payloads silently.
1
0
0
Hackers exploit ESET vulnerability to deploy malware, Kaspersky warns A vulnerability in ESET antivirus (CVE-2024-11859) allowed malicious code execution via its scanning engine. https://t.co/t4F0ePj7PF #dwobservatory #dwnews #digwatch
0
0
0

Affected Software

No affected software found for this CVE

References

ReferenceLink
[email protected]https://support.eset.com/en/ca8810-dll-search-order-hijacking-vulnerability-in-eset-products-for-windows-fixed

CWE Details

CWE IDCWE NameDescription
CWE-427Uncontrolled Search Path ElementThe product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence