The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about CVE-2024-35250, a vulnerability in the Microsoft Windows Kernel-Mode Driver that has been actively exploited. This flaw, first disclosed by Microsoft in June 2024, has a patch available but has now been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog due to evidence of exploitation in the wild.
The vulnerability allows attackers to exploit an untrusted pointer dereference enabling privilege escalation to SYSTEM level. CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply the fix by January 6, 2025, under Binding Operational Directive (BOD) 22-01, which requires timely remediation of high-risk vulnerabilities.
Details and impact of the flaw
CVE-2024-35250 is an elevation of privilege vulnerability in the Windows Kernel-Mode Driver, a critical component of the operating system. The flaw is characterized by its local attack vector, low attack complexity, and minimal prerequisites, as it requires low privileges and no user interaction to exploit. Successful exploitation can grant attackers SYSTEM-level privileges, severely compromising confidentiality, integrity, and availability.
The vulnerability was first reported by Angelboy (@scwuaptx) from the DEVCORE Research Team in collaboration with the Trend Micro Zero Day Initiative. Microsoft categorized the flaw as “Important” with a CVSS 3.1 score of 7.8, giving it a “high” severity rating.
Although Microsoft's original bulletin did not report exploitation at the time of publication, CISA's update confirms active exploitation, making it critical for organizations to address the issue promptly.
The Windows Kernel-Mode Driver manages critical interactions between the operating system and hardware. Exploiting this flaw allows attackers to escalate privileges from standard user accounts to SYSTEM, effectively giving them full control over the affected machine.
While no evidence currently links this vulnerability to ransomware campaigns, the simplicity of the attack chain combined with the privilege escalation capabilities poses a serious risk to enterprises and government systems alike.
CISA has set a remediation deadline of January 6, 2025, for all FCEB agencies. Although the directive does not apply to private-sector organizations, CISA strongly advises all entities to prioritize remediation as part of their vulnerability management strategies.
Microsoft has released a patch for CVE-2024-35250 with its June 2024 Patch Tuesday update, and applying it is the most effective way to mitigate the risk.
If an update is impractical or impossible, make sure to mitigate the risk by isolating impacted systems, taking them offline, or placing them behind a firewall, use endpoint detection and response (EDR) solutions to detect and respond to privilege escalation attempts, and enforce the principle of least privilege (PoLP) to limit the scope of exploitation for local attackers.
HIBP Notifies 23 Million Users of Mysterious “Hopamedia” Data Exposure
Leave a Reply