CVE-2024-7344

HighPublic PoC

Published: 14 January 2025

Published

14 January 2025

Modified

22 January 2025

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0039 59.8th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7344 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Cs-Grp Neo Impact. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Bootkit (T1542.003); ranked in the top 40.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SA-19 (Component Authenticity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Bootkit (T1542.003) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-14 Signed Components good match

prevent

Mandates digital signature verification prior to installation and execution of firmware components, directly preventing the Reloader application's execution of unsigned software in hardcoded paths.

SI-7 Software, Firmware, and Information Integrity good match

preventdetect

Requires cryptographic integrity verification of firmware such as the Reloader, addressing the improper signature verification that allows unsigned code execution during UEFI boot.

SA-19 Component Authenticity good match

prevent

Enforces authenticity verification of critical system components like UEFI applications prior to installation, mitigating exploitation of unsigned software loading in the vulnerable Reloader.

MITRE ATT&CK Enterprise TechniquesAI

T1542.003 Bootkit Stealth

Adversaries may use bootkits to persist on systems.

attack.mitre.org →

T1553.002 Code Signing Defense Impairment

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools.

attack.mitre.org →

Why these techniques?

Bypasses UEFI signature verification (CWE-347) to execute unsigned code during boot, directly enabling bootkit persistence and subversion of code signing controls.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path.

Deeper analysisAI

CVE-2024-7344 is a vulnerability in the Howyar UEFI Application "Reloader," affecting both 32-bit and 64-bit versions. It enables the execution of unsigned software stored in a hardcoded path, linked to CWE-347 (Improper Verification of Signature). The issue carries a CVSS v3.1 base score of 8.2 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and was published on 2025-01-14.

A local attacker with high privileges can exploit this vulnerability with low complexity and no user interaction required. Exploitation allows execution of unsigned code in the specified path, potentially compromising confidentiality, integrity, and availability at a high level within a changed scope, such as during the UEFI boot process.

Advisories and references, including the CERT vulnerability note (https://www.kb.cert.org/vuls/id/529659), UEFI specifications on the Boot Manager (https://uefi.org/specs/UEFI/2.10/03_Boot_Manager.html) and Secure Boot and Driver Signing (https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html), and the UEFI revocation list file (https://uefi.org/revocationlistfile), provide context on Secure Boot mechanisms and signature verification. An ESET blog post (https://www.eset.com/blog/enterprise/preparing-for-uefi-bootkits-eset-discovery-shows-the-importance-of-cyber-intelligence/) discusses UEFI bootkit preparations and the role of cyber intelligence.