NAVANEM
CVE-2024-30051⚡ exploited in the wild

Windows Desktop Window Manager (DWM) Core Library, elevation of privilege

Windows DWM Core Library Elevation of Privilege Vulnerability.

Overview

CVE-2024-30051 is a high-severity elevation of privilege vulnerability in the Windows Desktop Window Manager (DWM) Core Library (dwmcore.dll). This heap-based buffer overflow allows a local attacker to escalate privileges from any user account to SYSTEM level. The vulnerability was actively exploited in the wild by QakBot malware affiliates before Microsoft released a patch, making it a critical zero-day threat that was weaponized in real-world attacks.

Technical Details

The vulnerability exists as a heap-based buffer overflow in dwmcore.dll, the core library for Windows Desktop Window Manager. The DWM service runs in every interactive Windows session and is responsible for rendering the graphical user interface, including window composition and visual effects.

The flaw stems from improper handling of attacker-influenceable input via window message handling mechanisms. Because DWM processes these messages in a privileged context, a malicious local user can craft specific inputs that trigger the heap overflow condition, ultimately allowing arbitrary code execution with SYSTEM privileges.

Exploitation requires only local code execution as any authenticated user-no administrator privileges are needed for the initial access. This low barrier to entry makes it an attractive target for pairing with initial access techniques such as phishing campaigns.

Impact

Successful exploitation grants attackers SYSTEM-level privileges on affected Windows systems. This represents complete compromise of the local machine, enabling:

  • Full control over the operating system
  • Installation of persistent malware or backdoors
  • Credential harvesting and lateral movement
  • Disabling of security controls

Kaspersky researchers discovered this exploit being actively used by QakBot affiliates in April 2024, prior to public disclosure. QakBot is a well-known banking trojan and malware loader that has been used extensively for ransomware delivery and data theft operations. Microsoft confirmed in-the-wild exploitation when releasing the patch during May 2024 Patch Tuesday.

Mitigation

  1. Apply the May 2024 cumulative update from Microsoft immediately on all affected Windows systems
  2. Verify that Microsoft Defender for Endpoint or equivalent endpoint protection is active with current signatures
  3. Conduct threat hunting sweeps for QakBot artifacts on hosts that remained unpatched during Q1 2024
  4. Review systems for signs of compromise, particularly those exposed to phishing campaigns

Detection

Microsoft Defender for Endpoint includes detection capabilities for QakBot malware and associated tooling. Organizations should ensure endpoint detection and response (EDR) solutions are deployed and actively monitoring. Indicators of compromise related to QakBot distribution chains should be incorporated into security monitoring. Review system logs for suspicious DWM-related crashes or anomalous privilege escalation events on workstations.