Cyber Resilience

CVE-2024-38226

HighCISA KEVActive ExploitationEUVD Exploited

Published: 10 September 2024

Published
10 September 2024
Modified
28 October 2025
KEV Added
10 September 2024
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0143 81.0th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38226 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Microsoft Office 2019. Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 19.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

Microsoft Publisher contains a security feature bypass vulnerability tracked as CVE-2024-38226. The flaw allows an attacker to circumvent protections that would otherwise restrict certain operations within Publisher documents or templates. It affects Microsoft Publisher running on supported Windows versions and carries a CVSS 3.1 score of 7.3 reflecting local access requirements.

An authenticated local user who can convince a victim to open a specially crafted Publisher file can exploit the bypass to achieve high impact on confidentiality, integrity, and availability. The attack vector requires user interaction such as opening a malicious document but needs only low privileges and low attack complexity once the file is executed.

Microsoft’s advisory at msrc.microsoft.com recommends applying the security update released on September 10, 2024, which restores the intended security boundaries. The CISA Known Exploited Vulnerabilities catalog lists the issue, confirming that in-the-wild exploitation has been observed and that federal agencies must remediate according to CISA directives.

EPSS remains low and unchanged at 0.0143, indicating limited public exploit code or scanning activity despite confirmed real-world use.

EU & UK References

Vulnerability details

Microsoft Publisher Security Feature Bypass Vulnerability

CWE(s)
KEV Date Added
10 September 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
office 2019
all versions
microsoft
office long term servicing channel
2021
microsoft
publisher
2016

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces the security features in Publisher that the CVE bypasses, blocking the unauthorized access and high-impact actions by low-privileged local users.

prevent

Restricts the permissions available to the low-privilege attacker, limiting the scope of the confidentiality/integrity/availability impact even if the bypass succeeds.

prevent

Requires timely application of Microsoft's remediation for CVE-2024-38226, eliminating the security feature bypass before exploitation can occur.

References