A proof-of-concept (PoC) exploit has been released for a critical zero-day vulnerability in the Windows Task Scheduler, identified as CVE-2024-49039. This privilege escalation flaw, which has been actively exploited in the wild, poses a significant threat to Windows users worldwide.
The vulnerability, assigned a high CVSS score of 8.8, allows attackers to elevate their privileges and execute arbitrary code on affected systems. What makes this flaw particularly dangerous is its potential for zero-click exploitation, meaning an attacker can compromise a system without any user interaction.
Security researchers have linked the exploitation of CVE-2024-49039 to the Russia-aligned threat actor known as RomCom.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
The attack chain works as follows:
- The Windows Task Scheduler flaw (CVE-2024-49039) is then leveraged to escape the browser sandbox and elevate privileges.
- Finally, the RomCom backdoor is installed, granting attackers full control over the compromised system.
ESET researchers reported that between October 10 and November 4, 2024, potential victims were primarily located in Europe and North America, with some regions reporting up to 250 affected targets.
The release of a PoC exploit for CVE-2024-49039 has raised concerns among security experts. The exploit, published on GitHub, demonstrates how the vulnerability can be used for persistence and privilege escalation. It targets the WPTaskScheduler.dll component, which has been present in Windows since version 10 1507.
The PoC exploit showcases the ability to bypass restricted token sandboxes, child-process restrictions, and elevate to Medium Integrity. While some limitations exist, such as difficulties in establishing RPC connections from certain restricted processes, the researchers noted successful bypasses using audio and GPU processes.
Microsoft has released a patch for CVE-2024-49039, which adjusts the RPC Interface Security in WPTaskScheduler.dll. The patch now requires at least Medium Integrity for access, significantly reducing the attack surface.
Security experts urge Windows users and administrators to immediately apply the latest security updates. Additionally, they recommend implementing defense-in-depth strategies, including:
- Keeping all software and operating systems up to date.
- Implementing robust endpoint protection solutions.
- Employing network segmentation and least privilege principles.
- Conducting regular security audits and penetration testing.
As threat actors continue to exploit zero-day vulnerabilities, organizations must remain vigilant and prioritize patch management to mitigate the risks posed by these critical flaws.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar