CVE-2024-38213
Published: 13 August 2024
Summary
CVE-2024-38213 is a medium-severity Protection Mechanism Failure (CWE-693) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Deeper analysis
CVE-2024-38213 is a security feature bypass vulnerability in the Windows Mark of the Web (MOTW) mechanism. MOTW is the Windows component that tags files originating from the internet or other untrusted zones and enforces security restrictions such as blocking macros or prompting before execution; the flaw allows this protection to be circumvented.
An unauthenticated remote attacker can exploit the issue by supplying a specially crafted file that a user must open or save. Successful exploitation results in high-integrity impact, enabling the attacker to bypass MOTW restrictions and potentially run unauthorized code or content that would otherwise be blocked.
Microsoft’s advisory at msrc.microsoft.com details the affected Windows builds and the availability of patches; CISA has added the CVE to its Known Exploited Vulnerabilities catalog, indicating that remediation should be prioritized according to agency guidance.
The EPSS score has reached 0.5932, and the vulnerability’s presence in the CISA KEV list confirms observed in-the-wild exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37180
Vulnerability details
Windows Mark of the Web Security Feature Bypass Vulnerability
- CWE(s)
- KEV Date Added
- 13 August 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of patches to eliminate the Mark of the Web bypass flaw before exploitation.
Enforces malicious-code protections that rely on Mark of the Web origin marking to block or warn on untrusted files.
Enforces access decisions using security attributes (file zone/markings) that the vulnerability allows an attacker to bypass.