Cyber Resilience

CVE-2024-38072

High

Published: 09 July 2024

Published
09 July 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.1404 94.5th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38072 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Microsoft Windows Server 2016. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Windows Remote Desktop Licensing Service contains a denial of service vulnerability tracked as CVE-2024-38072. The flaw is present in the licensing component of Windows Remote Desktop Services and carries a CVSS 3.1 base score of 7.5, reflecting a network-reachable condition that requires no authentication or user interaction. The associated weakness identifiers are CWE-476 and NVD-CWE-noinfo.

An unauthenticated attacker can send specially crafted network traffic to an affected system and trigger a crash or resource exhaustion in the licensing service, resulting in loss of availability while leaving confidentiality and integrity unaffected. Because the attack vector is rated as network and the complexity is low, remote exploitation is possible against any exposed Remote Desktop Licensing instance.

Microsoft’s security advisory at msrc.microsoft.com details the affected Windows versions and supplies the corresponding security updates that address the issue. Organizations are advised to apply the patches through normal update channels to eliminate the denial-of-service condition. The EPSS score has remained near 0.14 with only a negligible peak of 0.1436, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

Windows Remote Desktop Licensing Service Denial of Service Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows server 2016
≤ 10.0.14393.7159
microsoft
windows server 2019
≤ 10.0.17763.6054
microsoft
windows server 2022
≤ 10.0.20348.2582
microsoft
windows server 2022 23h2
≤ 10.0.25398.1009

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References