Cyber Resilience

CVE-2024-29059

HighCISA KEVActive ExploitationEUVD Exploited

Published: 23 March 2024

Published
23 March 2024
Modified
28 October 2025
KEV Added
04 February 2025
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9358 99.8th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-29059 is a high-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Microsoft .Net Framework. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-29059 is an information disclosure vulnerability in the .NET Framework, assigned CWE-209 and carrying a CVSS 3.1 base score of 7.5. The flaw allows an unauthenticated remote attacker to obtain sensitive information from affected .NET Framework installations when the component processes certain requests.

An attacker with network access can exploit the weakness without credentials or user interaction to read data that should remain confidential, potentially exposing internal application details or configuration information. The attack requires no special privileges and leaves integrity and availability untouched.

Microsoft has published remediation guidance through its Security Response Center, and the vulnerability appears in CISA’s catalog of known exploited vulnerabilities, confirming that in-the-wild exploitation has been observed. The associated EPSS score currently stands at 0.9358 with a recorded peak of 0.9388, indicating sustained attacker interest after public disclosure.

EU & UK References

Vulnerability details

.NET Framework Information Disclosure Vulnerability

CWE(s)
KEV Date Added
04 February 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
.net framework
2.0, 3.0, 3.5, 3.5.1, 4.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of known vulnerabilities such as CVE-2024-29059 that appear in CISA's exploited list.

prevent

Addresses CWE-209 root cause by ensuring error messages do not expose sensitive information to remote unauthenticated callers.

prevent

Enforces information-flow policies that can block unauthorized disclosure of confidential data over the network.

References