Cyber Resilience

CVE-2024-38076

Critical

Published: 09 July 2024

Published
09 July 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1091 93.6th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38076 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Microsoft Windows Server 2016. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Windows Remote Desktop Licensing Service contains a remote code execution vulnerability tracked as CVE-2024-38076. The flaw is rated 9.8 under CVSS 3.1 with an attack vector of network, low complexity, no privileges, and no user interaction, and is associated with CWE-122. It affects the licensing service component in supported Windows versions that expose the service to the network.

An unauthenticated attacker can send specially crafted network requests to the service and achieve arbitrary code execution with the full privileges of the service account, resulting in complete confidentiality, integrity, and availability impact on the affected system.

Microsoft’s security update guide at msrc.microsoft.com provides patches and mitigation guidance for the vulnerability. The EPSS score remains essentially flat, moving only from a peak of 0.1099 to a current value of 0.1091, indicating no material increase in observed exploitation interest after disclosure.

EU & UK References

Vulnerability details

Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows server 2016
≤ 10.0.14393.7159
microsoft
windows server 2019
≤ 10.0.17763.6054
microsoft
windows server 2022
≤ 10.0.20348.2582
microsoft
windows server 2022 23h2
≤ 10.0.25398.1009

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References