Vulnerability identifier: #VU98219

Vulnerability risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2024-43532

CWE-ID: CWE-636

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Windows
Operating systems & Components / Operating system
Windows Server
Operating systems & Components / Operating system

Vendor:

Description

The vulnerability allows a remote user to escalate privileges in Active Directory domain.

The vulnerability exists due to the way the Remote Registry client handles RPC authentication during certain fallback scenarios when SMB transport is unavailable. A remote user can authenticated against the AD server, intercept the NTLM authentication handshake from the client and forward it to another service, such as the (ADCS), and create a new domain administrator.

Successful exploitation of the vulnerability may allows a domain user to take over the entire AD.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

---

External links
http://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43532

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.