Cyber Resilience

CVE-2024-30036

Medium

Published: 14 May 2024

Published
14 May 2024
Modified
08 January 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0717 91.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-30036 is a medium-severity Improper Resolution of Path Equivalence (CWE-41) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 8.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-30036 is an information disclosure vulnerability affecting the Windows Deployment Services component. It carries a CVSS 3.1 base score of 6.5 and is associated with CWE-41. The flaw permits unauthorized exposure of sensitive data when the affected service processes certain network requests.

An authenticated attacker with low privileges can exploit the issue remotely over the network without user interaction. Successful exploitation results in high-impact disclosure of confidential information while leaving integrity and availability unaffected.

Microsoft has published an advisory for CVE-2024-30036 that details available patches and mitigation guidance; administrators should consult the update guide at the referenced Microsoft Security Response Center URL for remediation steps. The EPSS score has remained flat at 0.0717 since disclosure, indicating no material increase in observed exploitation interest.

EU & UK References

Vulnerability details

Windows Deployment Services Information Disclosure Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.6981
microsoft
windows server 2019
≤ 10.0.17763.5820
microsoft
windows server 2022
≤ 10.0.20348.2461

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References