CVE-2024-30010
Published: 14 May 2024
Summary
CVE-2024-30010 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-30010 is a remote code execution vulnerability affecting the Windows Hyper-V component. It carries a CVSS 3.1 base score of 8.8 with an attack vector of network, low attack complexity, low privileges required, and no user interaction, resulting in high impact to confidentiality, integrity, and availability. The weakness is associated with CWE-23.
An authenticated attacker with low privileges can exploit the flaw over a network connection to execute arbitrary code on a vulnerable Hyper-V host. Successful exploitation grants the attacker full control equivalent to the compromised process privileges, enabling actions such as installing programs, viewing or modifying data, or creating new accounts.
Microsoft security advisories published at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30010 detail the available patches and mitigation steps for affected Windows versions.
The associated EPSS score has remained flat at 0.1040 with no material rise observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-27950
Vulnerability details
Windows Hyper-V Remote Code Execution Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.