CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-38202

High Severity
Microsoft
SVRS
40/100
CVSSv3
7.3/10
EPSS
0.01392/1

CVE-2024-38202 is an elevation of privilege vulnerability in Windows Update. This flaw could allow an attacker with basic user privileges to potentially reintroduce previously fixed vulnerabilities or bypass certain Virtualization Based Security (VBS) features.

Despite a CVSS score of 7.3, its SOCRadar Vulnerability Risk Score (SVRS) is 40, indicating a moderate real-world risk. Successful exploitation requires tricking a privileged user into performing a system restore, making it less critical than vulnerabilities exploitable without user interaction. However, organizations should still apply the Microsoft security update released on October 8, 2024, to fully mitigate the attack vector. This vulnerability highlights the importance of user education and secure system administration practices to prevent potential exploitation. While not immediately critical, addressing CVE-2024-38202 is essential for maintaining a strong security posture.

TAGS
In The Wild
Vendor-advisory
VECTOR STRING
CVSS:3.1
AV:L
AC:L
PR:L
UI:R
S:U
C:H
I:H
A:H
PUBLICATION DATE2024-08-08
LAST MODIFIED2025-04-16
Eye Icon
SOCRadar
AI Insight

Description

CVE-2024-38202 is an elevation of privilege vulnerability in Windows Update that could allow an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS). The SVRS for this CVE is 34, indicating a moderate level of risk.

Key Insights

  • Exploitation requires user interaction: An attacker must trick or convince an Administrator or a user with delegated permissions into performing a system restore to exploit this vulnerability.
  • Public presentation: A public presentation regarding this vulnerability was hosted at BlackHat on August 7, 2024, which may increase the likelihood of exploitation attempts.
  • No active exploits: Microsoft is not aware of any attempts to exploit this vulnerability, but it is recommended to take precautions until a security update is available.
  • CISA warning: The Cybersecurity and Infrastructure Security Agency (CISA) has warned of this vulnerability, calling for immediate and necessary measures.

Mitigation Strategies

  • Configure "Audit Object Access" settings to monitor attempts to access files related to Windows Update.
  • Audit users with permission to perform Update and Restore operations to ensure only appropriate users can perform these actions.
  • Implement Access Control Lists or Discretionary Access Control Lists to restrict access to Update files and Restore operations to authorized users.
  • Audit sensitive privileges used to identify access, modification, or replacement of Update related files to detect potential exploitation attempts.

Additional Information

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

CVE-2024-38202 | Microsoft Windows up to Server 2022 23H2 Update Stack access control
vuldb.com2025-02-27
CVE-2024-38202 | Microsoft Windows up to Server 2022 23H2 Update Stack access control | A vulnerability was found in Microsoft Windows. It has been classified as critical. This affects an unknown part of the component Update Stack. The manipulation leads to improper access controls. This vulnerability is uniquely identified as CVE-2024-38202. It is possible to initiate the attack remotely. There is no
vuldb.com
rss
forum
news
Downgrade attacks open patched systems to malware
[email protected] (Paul Roberts)2024-11-06
Downgrade attacks open patched systems to malware | A new report by the former SafeBreach researcher Alon Leviev is raising alarms
reversinglabs.com
rss
forum
news
Iran-linked hackers target US presidential campaigns. - The CyberWire
2024-08-17
Iran-linked hackers target US presidential campaigns. - The CyberWire | News Content: By the CyberWire staff At a glance. Iran-linked hackers target US presidential campaigns. Microsoft's Patch Tuesday fixes six actively exploited zero-days. Hackers leak nearly 2.7 billion records with personal information. CISA warns of actively exploited SolarWinds flaw. Google will remove high-privileged Android app from Pixel phones. FBI disrupts Radar/Dispossessor ransomware operation. New macOS malware surfaces. Australian gold mining company sustains ransomware attack. Iran-linked hackers target US presidential campaigns. The Trump campaign disclosed last Saturday that some of its internal communications had been hacked by
google.com
rss
forum
news
The August 2024 Security Update Review
Dustin Childs2024-11-01
The August 2024 Security Update Review | I have successfully survived Summer Hacker Camp, and I hope you have too. And we return just in time for Patch Tuesday and a new crop of 0-days as Microsoft and Adobe have released their regularly scheduled updates. Take a break from your regular activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check it out here: Adobe Patches
zerodayinitiative.com
rss
forum
news
Microsoft Patched 6 Actively Exploited Zero-Day Flaws - TechRepublic
2024-08-14
Microsoft Patched 6 Actively Exploited Zero-Day Flaws - TechRepublic | News Content: Patch Tuesday, Microsoft’s monthly report of security updates, brought 90 CVEs, including some vulnerabilities that were being actively exploited. Some vulnerabilities originated in Chromium, meaning both Microsoft Edge and Google Chrome may have been affected. Here are the most critical flaws and patches disclosed by Microsoft on Aug. 13. Six zero-day flaws had been exploited Threat actors had already taken advantage of six zero-day exploits in particular: CVE-2024-38106: an elevation of privilege vulnerability in the Windows kernel. CVE-2024-38107: an elevation of privilege
google.com
rss
forum
news
Microsoft patches six actively exploited vulnerabilities - CSO Online
2024-08-13
Microsoft patches six actively exploited vulnerabilities - CSO Online | News Content: Microsoft’s August Patch Tuesday covered 10 zero-day flaws, of which six are being exploited in the wild and four are publicly disclosed. Credit: Clint Patterson / Unsplash Microsoft fixed 88 vulnerabilities on Tuesday as part of its monthly patching cycle. Six of those flaws were already being actively exploited in the wild before a patch was available and another four were publicly disclosed, putting the total number of zero-day vulnerabilities covered in this release at 10. Of the 88 vulnerabilities patched only seven are rated critical, 79 are
google.com
rss
forum
news
Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel
Ajit Jasrotia2024-10-28
Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel | A new attack technique could be used to bypass Microsoft’s Driver Signature Enforcement (DSE) on fully patched Windows systems, leading to operating system (OS) downgrade attacks. “This bypass allows loading unsigned kernel drivers, enabling attackers to deploy custom rootkits that can neutralize security controls, hide processes and network activity, maintain stealth, and much more,” SafeBreach […] The post Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel appeared
cve-2024-38202
cve-2024-21302
domains
urls

Social Media

CVE-2024-38202 CVE-2024-21302 WindowsDowndate PoC https://t.co/oCGHVAH2mZ https://t.co/tDb3FvlKnB
0
0
0
12) PoC Exploit Code Released for Windows 0-Day Vulnerabilities CVE-2024-38202 and CVE-2024-21302 Researchers have disclosed the technical details and released proof-of-concept (PoC) exploit code for two critical zero-day vulnerabilities in Windows, identified as CVE-2024-38202
1
0
0
#PoC Exploit for Windows #0Day Flaws CVE-2024-38202 and CVE-2024-21302 Released These vulnerabilities could reintroduce old issues, turning patched Windows systems into zero-day targets. https://t.co/Zv4QE57DUi iocs: https://securityonline.info/poc-exploit-for-windows-0-day-flaws-cve-2024-38202-and-cve-2024-21302-released/
0
3
5
A demonstration of vulnerabilities in Windows, known as CVE-2024-38202 and CVE-2024-21302, has been made available for testing purposes. Details: https://t.co/XOzCvski02 #cybersecurity #infosec #infosecurity
0
0
0
PoC Exploit for Windows 0-Day Flaws CVE-2024-38202 and CVE-2024-21302 Released https://t.co/iolk0rBIiP
0
6
9
🚨 CVE-2024-38202: Critical vuln in Microsoft Windows Update Stack enables improper access controls. Prioritize patching to prevent exploitation. #CyberSecurity #PatchNow
0
0
0
Actively exploited CVE : CVE-2024-38202
1
0
0
The vulnerabilities are tracked as CVE-2024-38202 and CVE-2024-21302, and can be used in downgrade attacks, where attackers can force a fully updated Windows installation to roll back to previous versions
1
0
0
4️⃣ CVE-2024-38202 - 🏗️ Windows Update Stack Elevation 🏗️ Microsoft's latest gift to the world: an elevation of privilege vulnerability. Because nothing says "secure" like a patch that elevates your privileges to the stratosphere, where security is just a distant memory. 🚀🔧
1
0
0
CVE-2024-38202 Resides within the Windows Backup component and could grant an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities & potentially circumvent specific functionalities of Virtualization Based Security (VBS). 2/4
1
0
0

Affected Software

Configuration 1
TypeVendorProduct
OSMicrosoftwindows_11_22h2
OSMicrosoftwindows_10_22h2
OSMicrosoftwindows_server_2022
OSMicrosoftwindows_10_1607
OSMicrosoftwindows_11_21h2
OSMicrosoftwindows_server_2022_23h2
OSMicrosoftwindows_10_1809
OSMicrosoftwindows_10_21h2
OSMicrosoftwindows_server_2019
OSMicrosoftwindows_server_2016
OSMicrosoftwindows_11_23h2

References

ReferenceLink
[email protected]https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38202
WINDOWS UPDATE STACK ELEVATION OF PRIVILEGE VULNERABILITYhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38202
WINDOWS UPDATE STACK ELEVATION OF PRIVILEGE VULNERABILITYhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38202
AF854A3A-2127-422B-91AE-364DA2661108https://www.vicarius.io/vsociety/posts/cve-2024-38202-potential-elevation-of-privilege-vulnerability-in-windows-backup-detection-script
AF854A3A-2127-422B-91AE-364DA2661108https://www.vicarius.io/vsociety/posts/cve-2024-38202-potential-elevation-of-privilege-vulnerability-in-windows-backup-mitigation-script
[email protected]https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38202

CWE Details

CWE IDCWE NameDescription
CWE-284Improper Access ControlThe software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence