Cyber Resilience

CVE-2024-38260

High

Published: 10 September 2024

Published
10 September 2024
Modified
13 September 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0397 88.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38260 is a high-severity Use of Uninitialized Resource (CWE-908) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 11.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-38260 is a remote code execution vulnerability in the Windows Remote Desktop Licensing Service. It carries a CVSS 3.1 base score of 8.8 with the vector string AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and is also associated with CWE-908. The flaw was publicly disclosed on 10 September 2024.

An attacker with low-privileged network access can exploit the issue without user interaction to execute arbitrary code, resulting in full compromise of confidentiality, integrity, and availability on the affected system. The service component therefore allows remote attackers who already possess limited credentials to escalate to complete control of the licensing host.

The sole reference points to the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38260, which is the authoritative source for patch availability and mitigation guidance. The associated EPSS score remains low, reaching a modest peak of 0.0502 before receding to the current value of 0.0397, with no indication of in-the-wild exploitation.

EU & UK References

Vulnerability details

Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows server 2008
r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.7336
microsoft
windows server 2019
≤ 10.0.17763.6293
microsoft
windows server 2022
≤ 10.0.20348.2700
microsoft
windows server 2022 23h2
≤ 10.0.25398.1128

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References