Cyber Resilience

CVE-2024-38044

High

Published: 09 July 2024

Published
09 July 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0476 89.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38044 is a high-severity Numeric Truncation Error (CWE-197) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 10.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-38044 is a remote code execution vulnerability in the DHCP Server Service. It carries a CVSS 3.1 base score of 7.2 with the vector string AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H and is associated with CWE-197 and CWE-681. The flaw was publicly disclosed on 9 July 2024.

An attacker with high privileges on an affected DHCP server can exploit the issue over the network to execute arbitrary code, resulting in full compromise of confidentiality, integrity, and availability on the target system.

Microsoft has published remediation guidance for the vulnerability at the Microsoft Security Response Center advisory page referenced in the CVE record.

EPSS for the CVE rose from lower values after disclosure to a recorded peak of 0.0650 on 11 December 2025 before receding to the current level of 0.0476, indicating a period of increased exploitation interest following publication.

EU & UK References

Vulnerability details

DHCP Server Service Remote Code Execution Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.7159
microsoft
windows server 2019
≤ 10.0.17763.6054
microsoft
windows server 2022
≤ 10.0.20348.2582
microsoft
windows server 2022 23h2
≤ 10.0.25398.1009

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References