Privilege escalation in Microsoft Remote Registry Service
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-43532 |
| CWE-ID | CWE-636 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
Windows Operating systems & Components / Operating system Windows Server Operating systems & Components / Operating system |
| Vendor |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Not Failing Securely ('Failing Open')
EUVDB-ID: #VU98219
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2024-43532
CWE-ID:
CWE-636 - Not Failing Securely (\'Failing Open\')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote user to escalate privileges in Active Directory domain.
The vulnerability exists due to the way the Remote Registry client handles RPC authentication during certain fallback scenarios when SMB transport is unavailable. A remote user can authenticated against the AD server, intercept the NTLM authentication handshake from the client and forward it to another service, such as the (ADCS), and create a new domain administrator.
Successful exploitation of the vulnerability may allows a domain user to take over the entire AD.
Install updates from vendor's website.
Vulnerable software versionsWindows: before 11 24H2 10.0.26100.2033
Windows Server: before 2022 23H2 10.0.25398.1189
CPE2.3http://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43532
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
