Cyber Resilience

CVE-2024-38239

High

Published: 10 September 2024

Published
10 September 2024
Modified
17 September 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0407 88.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38239 is a high-severity Weak Authentication (CWE-1390) vulnerability in Microsoft Windows 10 22H2. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 11.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Windows Kerberos is affected by CVE-2024-38239, an elevation-of-privilege vulnerability disclosed on 10 September 2024. The flaw carries a CVSS 3.1 base score of 7.2 with network attack vector, low attack complexity, and high-privilege requirements, resulting in complete loss of confidentiality, integrity, and availability when exploited.

An authenticated attacker already holding high privileges can send specially crafted Kerberos messages over the network to escalate rights on the target system. Successful exploitation grants the attacker the ability to perform actions equivalent to those of a more privileged account, potentially leading to full domain compromise.

The official Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38239 describes available patches and configuration guidance for affected Windows versions. The associated EPSS score reached a modest peak of 0.0514 in December 2025 before receding to its current value of 0.0407, remaining at low absolute levels with no reported real-world exploitation campaigns.

EU & UK References

Vulnerability details

Windows Kerberos Elevation of Privilege Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.20766 · ≤ 10.0.10240.20766
microsoft
windows 10 1607
≤ 10.0.14393.7336 · ≤ 10.0.14393.7336
microsoft
windows 10 1809
≤ 10.0.17763.6293
microsoft
windows 10 21h2
≤ 10.0.19044.4894
microsoft
windows 10 22h2
≤ 10.0.19045.4894 · ≤ 10.0.19045.4894 · ≤ 10.0.19045.4894
microsoft
windows 11 21h2
≤ 10.0.22000.3197
microsoft
windows 11 22h2
≤ 10.0.22621.4169
microsoft
windows 11 23h2
≤ 10.0.22621.4169 · ≤ 10.0.22631.4169
microsoft
windows 11 24h2
≤ 10.0.26100.1742 · ≤ 10.0.26100.1742
microsoft
windows server 2008
all versions, r2
+5 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-1390

Helps detect exploitation of weak authentication mechanisms by notifying of previous unauthorized logons.

addresses: CWE-1390

The IA policy requires strong authentication methods, reducing use of weak authentication.

addresses: CWE-1390

Enforces dynamic, context-aware authentication that mitigates weak static authentication by increasing requirements based on risk or conditions.

addresses: CWE-1390

Enforces authentication for users, reducing the viability of weak authentication mechanisms.

addresses: CWE-1390

Requires authentication mechanisms to meet applicable standards and guidelines, preventing weak authentication.

References