CVE-2024-38239
Published: 10 September 2024
Summary
CVE-2024-38239 is a high-severity Weak Authentication (CWE-1390) vulnerability in Microsoft Windows 10 22H2. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 11.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Windows Kerberos is affected by CVE-2024-38239, an elevation-of-privilege vulnerability disclosed on 10 September 2024. The flaw carries a CVSS 3.1 base score of 7.2 with network attack vector, low attack complexity, and high-privilege requirements, resulting in complete loss of confidentiality, integrity, and availability when exploited.
An authenticated attacker already holding high privileges can send specially crafted Kerberos messages over the network to escalate rights on the target system. Successful exploitation grants the attacker the ability to perform actions equivalent to those of a more privileged account, potentially leading to full domain compromise.
The official Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38239 describes available patches and configuration guidance for affected Windows versions. The associated EPSS score reached a modest peak of 0.0514 in December 2025 before receding to its current value of 0.0407, remaining at low absolute levels with no reported real-world exploitation campaigns.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37205
Vulnerability details
Windows Kerberos Elevation of Privilege Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Helps detect exploitation of weak authentication mechanisms by notifying of previous unauthorized logons.
The IA policy requires strong authentication methods, reducing use of weak authentication.
Enforces dynamic, context-aware authentication that mitigates weak static authentication by increasing requirements based on risk or conditions.
Enforces authentication for users, reducing the viability of weak authentication mechanisms.
Requires authentication mechanisms to meet applicable standards and guidelines, preventing weak authentication.