Cyber Resilience

CVE-2024-38213

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 13 August 2024

Published
13 August 2024
Modified
28 October 2025
KEV Added
13 August 2024
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score 0.5932 98.3th percentile
Risk Priority 69 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38213 is a medium-severity Protection Mechanism Failure (CWE-693) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2024-38213 is a security feature bypass vulnerability in the Windows Mark of the Web (MOTW) mechanism. MOTW is the Windows component that tags files originating from the internet or other untrusted zones and enforces security restrictions such as blocking macros or prompting before execution; the flaw allows this protection to be circumvented.

An unauthenticated remote attacker can exploit the issue by supplying a specially crafted file that a user must open or save. Successful exploitation results in high-integrity impact, enabling the attacker to bypass MOTW restrictions and potentially run unauthorized code or content that would otherwise be blocked.

Microsoft’s advisory at msrc.microsoft.com details the affected Windows builds and the availability of patches; CISA has added the CVE to its Known Exploited Vulnerabilities catalog, indicating that remediation should be prioritized according to agency guidance.

The EPSS score has reached 0.5932, and the vulnerability’s presence in the CISA KEV list confirms observed in-the-wild exploitation activity.

EU & UK References

Vulnerability details

Windows Mark of the Web Security Feature Bypass Vulnerability

CWE(s)
KEV Date Added
13 August 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.20680
microsoft
windows 10 1607
≤ 10.0.14393.7070
microsoft
windows 10 1809
≤ 10.0.17763.5936
microsoft
windows 10 21h2
≤ 10.0.19044.4529
microsoft
windows 10 22h2
≤ 10.0.19045.4529
microsoft
windows 11 21h2
≤ 10.0.22000.3019
microsoft
windows 11 22h2
≤ 10.0.22621.3737
microsoft
windows 11 23h2
≤ 10.0.22631.3737
microsoft
windows server 2012
r2 · ≤ 6.2.9200.24919
microsoft
windows server 2016
≤ 10.0.14393.7070
+3 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of patches to eliminate the Mark of the Web bypass flaw before exploitation.

prevent

Enforces malicious-code protections that rely on Mark of the Web origin marking to block or warn on untrusted files.

prevent

Enforces access decisions using security attributes (file zone/markings) that the vulnerability allows an attacker to bypass.

References