NAVANEM
CVE-2024-26169⚡ exploited in the wild

Windows Error Reporting Service, elevation of privilege (Black Basta)

Windows Error Reporting Service Elevation of Privilege Vulnerability.

Overview

CVE-2024-26169 is a high-severity elevation of privilege vulnerability in the Windows Error Reporting (WER) Service. The flaw exists in werkernel.dll and can be exploited through the WerFault.exe COM activation chain. This vulnerability allows a local attacker with low privileges to escalate to SYSTEM-level access on affected Windows systems. Notably, Black Basta ransomware affiliates were observed exploiting this vulnerability as a zero-day before Microsoft's public patch release in March 2024.

Technical Details

The Windows Error Reporting Service runs with SYSTEM privileges and accepts COM activation requests. The vulnerability allows a local low-privileged attacker to craft malicious activation parameters that cause the service to write attacker-controlled content to a SYSTEM-owned location. This arbitrary write primitive enables privilege escalation from a standard user context to full SYSTEM privileges.

The exploit targets the COM activation mechanism within the WER service, specifically abusing how WerFault.exe processes certain requests. The vulnerability is local-only, meaning an attacker must already have code execution on the target system, but it serves as a near-universal post-exploitation primitive on modern Windows installations.

Symantec's Threat Hunter Team discovered a Black Basta affiliate tool compiled in February 2024-approximately one month before Microsoft released the patch on March 12, 2024-confirming this was exploited as a zero-day vulnerability.

Impact

This vulnerability represents a critical step in ransomware attack chains. Most initial-access malware executes in a user context, and reaching SYSTEM privileges is the gating step that enables attackers to:

  • Disable endpoint detection and response (EDR) solutions
  • Dump credentials from LSASS (Local Security Authority Subsystem Service)
  • Establish persistent access to compromised systems
  • Deploy ransomware with maximum impact

Black Basta affiliates and at least one other ransomware group have confirmed in-the-wild exploitation of this vulnerability, making it a textbook step-two exploit for ransomware operations targeting Windows 10/11 workstations.

Mitigation

  1. Apply the March 2024 cumulative update on all Windows hosts immediately
  2. Audit endpoints for Symantec-published IOCs, particularly werkernel.dll-related artifacts dropped to user temp paths in early 2024
  3. Enable Microsoft Defender for Endpoint with the "Block credential stealing from LSASS" Attack Surface Reduction (ASR) rule
  4. Monitor for suspicious WerFault.exe activity and COM activation patterns

Detection

Organizations should monitor for suspicious artifacts in user temporary directories related to werkernel.dll. Symantec has published specific indicators of compromise (IOCs) associated with the Black Basta exploit tool. Additionally, anomalous COM activation requests to the Windows Error Reporting Service and unexpected WerFault.exe process behavior should trigger investigation.