Cyber Resilience

CVE-2024-43521

High

Published: 08 October 2024

Published
08 October 2024
Modified
17 October 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0790 92.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43521 is a high-severity Incorrect Check of Function Return Value (CWE-253) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Windows Hyper-V contains a denial of service vulnerability tracked as CVE-2024-43521. The flaw received a CVSS 3.1 base score of 7.5 and is associated with CWE-253. It affects the Hyper-V hypervisor component in supported Windows releases and allows remote interference with availability while leaving confidentiality and integrity untouched.

An unauthenticated attacker can exploit the issue over the network with low complexity and no user interaction. Successful exploitation results in a high-impact denial of service against the Hyper-V host, causing the affected virtualization service to become unavailable.

Microsoft has published an advisory for CVE-2024-43521 that includes remediation guidance and is available at the Microsoft Security Response Center. The EPSS score for the vulnerability has remained flat at 0.0790 since disclosure, indicating no material increase in observed exploitation interest.

EU & UK References

Vulnerability details

Windows Hyper-V Denial of Service Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.7428
microsoft
windows server 2019
≤ 10.0.17763.6414
microsoft
windows server 2022
≤ 10.0.20348.2762
microsoft
windows server 2022 23h2
≤ 10.0.25398.1189

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References