CVE-2024-29059
Published: 23 March 2024
Summary
CVE-2024-29059 is a high-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Microsoft .Net Framework. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-29059 is an information disclosure vulnerability in the .NET Framework, assigned CWE-209 and carrying a CVSS 3.1 base score of 7.5. The flaw allows an unauthenticated remote attacker to obtain sensitive information from affected .NET Framework installations when the component processes certain requests.
An attacker with network access can exploit the weakness without credentials or user interaction to read data that should remain confidential, potentially exposing internal application details or configuration information. The attack requires no special privileges and leaves integrity and availability untouched.
Microsoft has published remediation guidance through its Security Response Center, and the vulnerability appears in CISA’s catalog of known exploited vulnerabilities, confirming that in-the-wild exploitation has been observed. The associated EPSS score currently stands at 0.9358 with a recorded peak of 0.9388, indicating sustained attacker interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-26106
Vulnerability details
.NET Framework Information Disclosure Vulnerability
- CWE(s)
- KEV Date Added
- 04 February 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of known vulnerabilities such as CVE-2024-29059 that appear in CISA's exploited list.
Addresses CWE-209 root cause by ensuring error messages do not expose sensitive information to remote unauthenticated callers.
Enforces information-flow policies that can block unauthorized disclosure of confidential data over the network.