Cyber Resilience

CVE-2023-24871

High

Published: 14 March 2023

Published
14 March 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5346 98.0th percentile
Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-24871 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Microsoft Windows 10 20H2. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-24871 is a remote code execution vulnerability in the Windows Bluetooth Service, carrying a CVSS 3.1 base score of 8.8. The flaw is associated with CWE-190 and permits an attacker to execute arbitrary code on an affected Windows system when the Bluetooth service processes specially crafted input.

An unauthenticated attacker with adjacent-network access can exploit the issue without user interaction to achieve full compromise of confidentiality, integrity, and availability on the target host. The attack vector requires proximity sufficient for Bluetooth communication but imposes no additional privileges or user actions.

Microsoft’s advisory at the referenced MSRC URL addresses mitigation through available security updates that resolve the vulnerability in supported Windows releases. The EPSS score has reached a peak of 0.5961 with a current value of 0.5346, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Windows Bluetooth Service Remote Code Execution Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 20h2
≤ 10.0.19042.2728
microsoft
windows 10 21h2
≤ 10.0.19044.2728
microsoft
windows 10 22h2
≤ 10.0.19045.2728
microsoft
windows 11 21h2
≤ 10.0.22000.1696
microsoft
windows 11 22h2
≤ 10.0.22000.1413
microsoft
windows server 2022
all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References