Exploit
CVE-2024-49039

Improper Authentication (CWE-287)

Published: Nov 12, 2024

010
CVSS 8.8EPSS 0.19%High
CVE info copied to clipboard

Summary

Windows Task Scheduler Elevation of Privilege Vulnerability. This is a local privilege escalation vulnerability in the Windows Task Scheduler component. It has a CVSS v3.1 base score of 8.8, indicating high severity. The vulnerability requires low attack complexity and low privileges to exploit, with no user interaction needed. It affects confidentiality, integrity, and availability, all rated as high impact.

Impact

Successful exploitation of this vulnerability could allow an attacker with low-level access to elevate their privileges on the system. This could potentially lead to full system compromise, as the attacker could gain the ability to execute arbitrary code with high-level privileges, access sensitive information, modify system configurations, and disrupt system availability. The scope is changed, meaning the vulnerable component impacts resources beyond its security scope.

Exploitation

There is no evidence that a public proof-of-concept exists. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including cisa.gov.

Patch

A patch is available. Microsoft released an official fix for this vulnerability on November 12, 2024. The patch addresses the vulnerability in multiple versions of Windows, including Windows 10 (various builds), Windows 11, and Windows Server versions from 2016 to 2025. Each affected version has a specific version number that should be updated to patch the vulnerability.

Mitigation

1. Apply the security update provided by Microsoft as soon as possible. 2. Implement the principle of least privilege, ensuring users and processes only have the minimum necessary permissions. 3. Monitor and audit task scheduler activities for any suspicious behavior. 4. Keep systems and software up-to-date with the latest security patches. 5. Use endpoint detection and response (EDR) solutions to detect and prevent exploitation attempts. 6. Implement network segmentation to limit the potential impact of a successful exploit.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

Timeline

Exploitation in the Wild

Attacks in the wild have been reported by inthewild.io.

Nov 12, 2024 at 12:00 AM / inthewild.io
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (92186)

Nov 12, 2024 at 7:53 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Nov 12, 2024 at 5:55 PM / microsoft
First Article

Feedly found the first article mentioning CVE-2024-49039. See article

Nov 12, 2024 at 5:59 PM / #cybersecurity
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 12, 2024 at 5:59 PM
CVE Assignment

NVD published the first details for CVE-2024-49039

Nov 12, 2024 at 6:15 PM
Exploitation in the Wild

Attacks in the wild have been reported by CISA Known Exploited Vulnerability.

Nov 12, 2024 at 6:30 PM / CISA Known Exploited Vulnerability
Exploitation in the Wild

Attacks in the wild have been reported by CISA - Known exploited vulnerabilities catalog. See article

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (210863)

Nov 13, 2024 at 2:15 AM
Static CVE Timeline Graph

Affected Systems

Microsoft/windows_server_2016
+null more

Proof Of Exploit

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039
+null more

Patches

Microsoft
+null more

Links to Mitre Att&cks

T1548: Abuse Elevation Control Mechanism
+null more

Attack Patterns

CAPEC-114: Authentication Abuse
+null more

Vendor Advisory

CVE-2024-49039 - Security Update Guide - Microsoft - Windows Task Scheduler Elevation of Privilege Vulnerability
There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

References

Windows Task Scheduler Elevation of Privilege Vulnerability
What privileges could be gained by an attacker who successfully exploited the vulnerability? To exploit this vulnerability, an authenticated attacker would need to run a specially crafted application on the target system exploit the vulnerability to elevate their privileges to a Medium Integrity Level.
CVE-2024-49039 - Security Update Guide - Microsoft - Windows Task Scheduler Elevation of Privilege Vulnerability
There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).
ION Advisory: November Patch Tuesday
None of the following critical vulnerabilities below have been reported as being actively exploited or publicly disclosed: The following vulnerabilities have been reported as publicly disclosed, but not yet actively exploited :

News

CISA: CISA Adds Five Known Exploited Vulnerabilities to Catalog
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.
Exploit for Improper Authentication in Microsoft exploit
CVE-2024-49039 Exploitation
CVE Id : CVE-2024-49039 Published Date: 2024-11-12T00:00:00+00:00 Windows Task Scheduler Elevation of Privilege Vulnerability https://www.cisa.gov/known-exploited-vulnerabilities-catalog inTheWild added CVE-2024-49039 to the list of known exploited vulnerabilities.
je5442804/WPTaskScheduler_CVE-2024-49039
WPTaskScheduler Persistence & CVE-2024-49039, as one of Attack Surface within Task Scheduler. who found that able to bypass Restricted Token Sandbox, child-process restrictions and elevate to Medium Integrity.
Weekly Threat Landscape Digest – Week 47
From sophisticated zero-day exploits to novel malware campaigns, this week’s Hawkeye Security Advisory brings you actionable insights into the latest threats and how to mitigate them. The BrazenBamboo APT group is actively exploiting an unpatched zero-day vulnerability in Fortinet’s FortiClient VPN software for Windows.
See 185 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI