CVE-2024-38217
Published: 10 September 2024
Summary
CVE-2024-38217 is a medium-severity Protection Mechanism Failure (CWE-693) vulnerability in Microsoft Windows 10 1507. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Invalid Code Signature (T1036.001); ranked in the top 5.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2024-38217 is a security feature bypass vulnerability in the Windows Mark of the Web (MOTW) mechanism. MOTW is a Windows component that applies security zone identifiers to files originating from the internet or other untrusted sources, triggering additional protections such as Windows Defender SmartScreen or application restrictions. The flaw received a CVSS v3.1 score of 5.4 and was published on 10 September 2024.
An unauthenticated remote attacker can exploit the issue by delivering a crafted file or link that causes Windows to fail to apply or respect MOTW markings. Successful exploitation requires user interaction such as opening the file and results in limited integrity and availability impacts without direct confidentiality loss.
Microsoft’s advisory at msrc.microsoft.com details the affected Windows builds and available updates, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The associated EPSS score stands at 0.1377 with an identical peak value, indicating steady rather than sharply rising exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37184
Vulnerability details
Windows Mark of the Web Security Feature Bypass Vulnerability
- CWE(s)
- KEV Date Added
- 10 September 2024
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-38217 is a Mark-of-the-Web bypass vulnerability exploited via LNK handling bugs (T1553.005), enabling evasion of Smart App Control/SmartScreen with signed malware (T1553.002), invalid code signatures (T1036.001), and reputation hijacking using trusted utilities like JamPlus (T1127.003) and AutoHotkey (T1059.010).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch that closes the Mark of the Web bypass.
Supplies secondary malicious-code scanning and execution blocking that remains effective even when MotW marking is evaded.
Enforces least-functionality restrictions (e.g., application allow-listing) that limit what downloaded files can do after a MotW bypass.