CVE-2024-38226
Published: 10 September 2024
Summary
CVE-2024-38226 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Microsoft Office 2019. Its CVSS base score is 7.3 (High).
Operationally, ranked in the top 19.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
Microsoft Publisher contains a security feature bypass vulnerability tracked as CVE-2024-38226. The flaw allows an attacker to circumvent protections that would otherwise restrict certain operations within Publisher documents or templates. It affects Microsoft Publisher running on supported Windows versions and carries a CVSS 3.1 score of 7.3 reflecting local access requirements.
An authenticated local user who can convince a victim to open a specially crafted Publisher file can exploit the bypass to achieve high impact on confidentiality, integrity, and availability. The attack vector requires user interaction such as opening a malicious document but needs only low privileges and low attack complexity once the file is executed.
Microsoft’s advisory at msrc.microsoft.com recommends applying the security update released on September 10, 2024, which restores the intended security boundaries. The CISA Known Exploited Vulnerabilities catalog lists the issue, confirming that in-the-wild exploitation has been observed and that federal agencies must remediate according to CISA directives.
EPSS remains low and unchanged at 0.0143, indicating limited public exploit code or scanning activity despite confirmed real-world use.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37192
Vulnerability details
Microsoft Publisher Security Feature Bypass Vulnerability
- CWE(s)
- KEV Date Added
- 10 September 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces the security features in Publisher that the CVE bypasses, blocking the unauthorized access and high-impact actions by low-privileged local users.
Restricts the permissions available to the low-privilege attacker, limiting the scope of the confidentiality/integrity/availability impact even if the bypass succeeds.
Requires timely application of Microsoft's remediation for CVE-2024-38226, eliminating the security feature bypass before exploitation can occur.