Cyber Resilience

CVE-2024-38217

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 September 2024

Published
10 September 2024
Modified
28 October 2025
KEV Added
10 September 2024
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
EPSS Score 0.1377 94.4th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38217 is a medium-severity Protection Mechanism Failure (CWE-693) vulnerability in Microsoft Windows 10 1507. Its CVSS base score is 5.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Invalid Code Signature (T1036.001); ranked in the top 5.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2024-38217 is a security feature bypass vulnerability in the Windows Mark of the Web (MOTW) mechanism. MOTW is a Windows component that applies security zone identifiers to files originating from the internet or other untrusted sources, triggering additional protections such as Windows Defender SmartScreen or application restrictions. The flaw received a CVSS v3.1 score of 5.4 and was published on 10 September 2024.

An unauthenticated remote attacker can exploit the issue by delivering a crafted file or link that causes Windows to fail to apply or respect MOTW markings. Successful exploitation requires user interaction such as opening the file and results in limited integrity and availability impacts without direct confidentiality loss.

Microsoft’s advisory at msrc.microsoft.com details the affected Windows builds and available updates, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The associated EPSS score stands at 0.1377 with an identical peak value, indicating steady rather than sharply rising exploitation interest after disclosure.

EU & UK References

Vulnerability details

Windows Mark of the Web Security Feature Bypass Vulnerability

CWE(s)
KEV Date Added
10 September 2024

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1036.001 Invalid Code Signature Stealth
Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool.
T1127.003 JamPlus Stealth
Adversaries may use `JamPlus` to proxy the execution of a malicious script.
T1553.002 Code Signing Defense Impairment
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools.
T1553.005 Mark-of-the-Web Bypass Defense Impairment
Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls.
T1059.010 AutoHotKey & AutoIT Execution
Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts.
Why these techniques?

CVE-2024-38217 is a Mark-of-the-Web bypass vulnerability exploited via LNK handling bugs (T1553.005), enabling evasion of Smart App Control/SmartScreen with signed malware (T1553.002), invalid code signatures (T1036.001), and reputation hijacking using trusted utilities like JamPlus (T1127.003) and AutoHotkey (T1059.010).

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.20766 · ≤ 10.0.10240.20766
microsoft
windows 10 1607
≤ 10.0.14393.7336 · ≤ 10.0.14393.7336
microsoft
windows 10 1809
≤ 10.0.17763.6293 · ≤ 10.0.17763.6293
microsoft
windows 10 21h2
≤ 10.0.19044.4894
microsoft
windows 10 22h2
≤ 10.0.19045.4894
microsoft
windows 11 21h2
≤ 10.0.22000.3197
microsoft
windows 11 22h2
≤ 10.0.22621.4169
microsoft
windows 11 23h2
≤ 10.0.22631.4169
microsoft
windows 11 24h2
≤ 10.0.26100.1742 · ≤ 10.0.26100.1742
microsoft
windows server 2008
all versions, r2
+5 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch that closes the Mark of the Web bypass.

preventdetect

Supplies secondary malicious-code scanning and execution blocking that remains effective even when MotW marking is evaded.

prevent

Enforces least-functionality restrictions (e.g., application allow-listing) that limit what downloaded files can do after a MotW bypass.

References