CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-21338

Critical Severity
Microsoft
SVRS
90/100
CVSSv3
7.8/10
EPSS
0.81906/1

CVE-2024-21338 is a critical Windows Kernel Elevation of Privilege Vulnerability. This flaw allows an attacker to gain elevated privileges on a vulnerable system. With a SOCRadar Vulnerability Risk Score (SVRS) of 90, this vulnerability is considered critical and demands immediate attention. CVE-2024-21338 enables attackers to perform actions they normally wouldn't be authorized to do, potentially leading to complete system compromise. The vulnerability is actively being exploited In The Wild, and exploits are readily available. Due to its severity and the existence of active exploits, organizations must prioritize patching CVE-2024-21338 to mitigate the risk of unauthorized access and control over their Windows systems. The presence of this CVE in the CISA KEV catalog also signifies its widespread exploitation and criticality.

TAGS
In The Wild
Exploit Avaliable
CISA KEV
Exploit Available
Vendor-advisory
VECTOR STRING
CVSS:3.1
AV:L
AC:L
PR:L
UI:N
S:U
C:H
I:H
A:H
E:F
RL:O
RC:C
PUBLICATION DATE2025-05-03
LAST MODIFIED2024-02-13
Eye Icon
SOCRadar
AI Insight

Description:

CVE-2024-21338 is a Windows Kernel Elevation of Privilege Vulnerability that allows attackers to gain elevated privileges on affected systems. The SVRS score of 30 indicates a moderate risk, but the presence of active exploits and CISA warnings elevates the urgency of addressing this vulnerability.

Key Insights:

  • Active Exploitation: Active exploits have been published, indicating that attackers are actively exploiting this vulnerability.
  • CISA Warning: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning, calling for immediate and necessary measures to mitigate the risk.
  • Privilege Escalation: This vulnerability allows attackers to gain elevated privileges on affected systems, potentially leading to complete system compromise.
  • In the Wild: The vulnerability is actively exploited by hackers, making it a critical threat to organizations.

Mitigation Strategies:

  • Apply Security Updates: Install the latest security updates from Microsoft to patch the vulnerability.
  • Enable Kernel Patch Protection: Enable Kernel Patch Protection (KPP) to prevent attackers from modifying the kernel.
  • Restrict Administrative Privileges: Limit the number of users with administrative privileges to reduce the impact of potential exploits.
  • Implement Network Segmentation: Segment networks to limit the spread of attacks and contain the impact of breaches.

Additional Information:

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

TypeIndicatorDate
HOSTNAME
voyagorclub.space2024-09-03
HOSTNAME
weinsteinfrog.com2024-09-03
HASH
0bbd9a8ddbb68e2658ea4c0a4106c7406a3920982024-10-24
HASH
16ec82ac2caf0c2e4812a636dbff4bd8ef84d5c32024-10-24
HASH
55dc4541b72a804a7edf324d6a388569a68a29862024-10-24
HASH
66cab82b64fbb03fecf7ca7f9ed295404a9bfe2b2024-10-24
HASH
78c27c7ac1da97dc822b4af7be5f15d68f9c5e4f2024-10-24

Exploits

TitleSoftware LinkDate
nomi-sec/PoC-in-GitHubhttps://github.com/nomi-sec/PoC-in-GitHub2019-12-08
Microsoft Windows Kernel Exposed IOCTL with Insufficient Access Control Vulnerabilityhttps://www.cisa.gov/search?g=CVE-2024-213382024-03-04
gogobuster/CVE-2024-21338-POChttps://github.com/gogobuster/CVE-2024-21338-POC2024-03-05
crackmapEZec/CVE-2024-21338-POChttps://github.com/crackmapEZec/CVE-2024-21338-POC2024-03-07
Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation2024-04-02
varwara/CVE-2024-21338https://github.com/varwara/CVE-2024-213382024-04-23
tykawaii98/CVE-2024-21338_PoChttps://github.com/tykawaii98/CVE-2024-21338_PoC2024-06-23
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day
Jan Vojtěšek2025-04-01
Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day | The Lazarus Group is back with an upgraded variant of their FudModule rootkit, this time enabled by a zero-day admin-to-kernel vulnerability for CVE-2024-21338. Read this blog for a detailed analysis of this rootkit variant and learn more about several new techniques, including a handle table entry manipulation technique that directly targets Microsoft Defender, CrowdStrike Falcon, and HitmanPro. The post Lazarus and the FudModule Rootkit: Beyond
avast.io
rss
forum
news
From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams
Luigino Camastra2025-04-01
From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams | Key Points Introduction In the summer of 2023, Avast identified a campaign targeting specific individuals in the Asian region through fabricated job offers. The motivation behind the attack remains uncertain, but judging from the low frequency of attacks, it appears that the attacker had a special interest in individuals with technical backgrounds. This sophistication is […] The post From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams
avast.io
rss
forum
news
Avast Q1/2024 Threat Report
Threat Research Team2025-04-01
Avast Q1/2024 Threat Report | Nearly 90% of Threats Blocked are Social Engineering, Revealing a Huge Surge of Scams, and Discovery of the Lazarus APT Campaign The post Avast Q1/2024 Threat Report appeared first on Avast Threat Labs.Nearly 90% of Threats Blocked are Social Engineering, Revealing a Huge Surge of Scams, and Discovery of the Lazarus APT Campaign<
avast.io
rss
forum
news
Microsoft’s Patch Tuesday Fixes 63 Flaws, Including Two Under Active Exploitation
Ajit Jasrotia2025-02-12
Microsoft’s Patch Tuesday Fixes 63 Flaws, Including Two Under Active Exploitation | Microsoft on Tuesday released fixes for 63 security flaws impacting its software products, including two vulnerabilities that it said has come under active exploitation in the wild. Of the 63 vulnerabilities, three are rated Critical, 57 are rated Important, one is rated Moderate, and two are rated Low in severity. This is aside from the [&#8230;] The post Microsoft’s Patch Tuesday Fixes 63 Flaws, Including Two Under Active Exploitation</a
allhackernews.com
rss
forum
news
The Best, the Worst and the Ugliest in Cybersecurity | 2024 Edition
SentinelOne2024-12-27
The Best, the Worst and the Ugliest in Cybersecurity | 2024 Edition | Before we ring in the New Year, SentinelOne reviews and reflects on some of the most formative cyber news stories that occurred in 2024.It’s almost time to wave goodbye to the year that was 2024, and as we look ahead to 2025 and the challenges that might bring, now is a good time to reflect on the best, the worst and the ugliest cybersecurity
sentinelone.com
rss
forum
news
Microsoft Patch Tuesday 2024 Year in Review
Scott Caveza, Satnam Narang2024-12-11
Microsoft Patch Tuesday 2024 Year in Review | Microsoft addressed over 1000 CVEs as part of Patch Tuesday releases in 2024, including 22 zero-day vulnerabilities. Background Microsoft’s Patch Tuesday, a monthly release of software patches for Microsoft products, has just celebrated its 21st anniversary. After a wrap-up covering the 20th anniversary in 2023, the Tenable Security Response Team (SRT) chose to
securityboulevard.com
rss
forum
news
Story of the Year: global IT outages and supply chain attacks
Alexander Liskin, Vladimir Kuskov, Igor Kuznetsov, Vitaly Kamluk2024-12-09
Story of the Year: global IT outages and supply chain attacks | While the CrowdStrike incident is still fresh in our minds, Kaspersky experts look back on similar IT outages that happened in 2024 and predict potential threats for 2025.A faulty update by cybersecurity firm CrowdStrike triggered one of the largest IT outages in history, impacting approximately <a href="https://blogs.microsoft.com/blog/2024/07/20/helping-our-customers-through-the-crowdstrike-outage/" rel="noopener" target="_blank
securelist.com
rss
forum
news

Social Media

"Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis" published by @googlecloud. #APT37, #CVE-2024-21338, #CVE-2024-38178, #Trend, #DPRK, #CTI https://t.co/Psbiib6oMk
0
0
0
[Research] Bypassing Windows Kernel Mitigations: Part 2 - CVE-2024-21338 Dive into bypassing kCFG with a Local Privilege Escalation exploit in appid.sys (CVE-2024-21338). https://t.co/iuKVrBHZqk Coming soon: Part 3! https://t.co/1l7oWWq6qp
0
0
0
Actively exploited CVE : CVE-2024-21338
1
0
0
CVE-2024-21338 - Windows AppLocker Driver LPE Vulnerability (CVSS 7.8) https://t.co/UJ9zGtFEqr
0
0
0
Windows AppLocker Driver LPE Vulnerability - CVE-2024-21338 https://t.co/gS6uMHqrel
0
0
0
Windows AppLocker Driver LPE Vulnerability – CVE-2024-21338 : https://t.co/iLvgJRKkOd PoC : 1 – Abusing PreviousMode : https://t.co/juyoIT9K87
1
3
14
Windows AppLocker Driver LPE Vulnerability - CVE-2024-21338 https://t.co/c3WJpeM9sC
0
0
0
Windows AppLocker Driver LPE Vulnerability - CVE-2024-21338 https://t.co/MVJSXdviA8
0
0
3
csirt_it: ‼️ #Microsoft: un Proof of Concept (#PoC) per lo sfruttamento della vulnerabilità CVE-2024-21338, risulta disponibile in rete ⚠️ Ove non provveduto, si raccomanda l’aggiornamento tempestivo del software interessato https://t.co/kIWrQWG9oH
0
0
0
Haven't posted anything for a long time. It's time to drop the exploit code for CVE-2024-21338, which one I wrote during my free time. https://t.co/0623SdKIMZ
1
0
2

Affected Software

Configuration 1
TypeVendorProduct
OSMicrosoftwindows_10_1809
OSMicrosoftwindows_server_2022
OSMicrosoftwindows_10_21h2
OSMicrosoftwindows_10_22h2
OSMicrosoftwindows_11_21h2
OSMicrosoftwindows_11_22h2
OSMicrosoftwindows_11_23h2
OSMicrosoftwindows_server_2019
OSMicrosoftwindows_server_2022_23h2

References

ReferenceLink
[email protected]https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338
[email protected]https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
[email protected]https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338
GITHUBhttps://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
GITHUBhttps://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
WINDOWS KERNEL ELEVATION OF PRIVILEGE VULNERABILITYhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338
AF854A3A-2127-422B-91AE-364DA2661108https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
AF854A3A-2127-422B-91AE-364DA2661108https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338
AF854A3A-2127-422B-91AE-364DA2661108https://packetstorm.news/files/id/190586/
AF854A3A-2127-422B-91AE-364DA2661108https://www.exploit-db.com/exploits/52275
[email protected]https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338

CWE Details

CWE IDCWE NameDescription
CWE-822Untrusted Pointer DereferenceThe program obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence