PoC exploit released for critical 0-click remote code execution (RCE) vulnerability affecting Windows Server. This flaw impacts Windows Server versions from 2000 to the latest 2025 preview.
This vulnerability, identified as CVE-2024-38077, resides in the Windows Remote Desktop Licensing Service and poses a significant threat due to its ability to be exploited without any user interaction.
The vulnerability, dubbed “MadLicense,” is a pre-authentication RCE flaw that allows attackers to execute arbitrary code on vulnerable systems without requiring user interaction.
Unlike many RCE vulnerabilities that require some form of user interaction, the CVE-2024-38077 vulnerability can be exploited without any user action.
This is particularly concerning given the widespread use of the Remote Desktop Licensing Service, which is often deployed on servers with Remote Desktop Services enabled. The service manages and issues licenses for remote desktop access, making it a critical component in many business environments.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
Exploit Released – MadLicense
The flaw is rooted in a heap overflow vulnerability within the CDataCoding::DecodeData function. This function improperly handles user-controlled input, leading to a buffer overflow condition.
The PoC exploit from researchers Ver, Lewis Lee, and Zhiniang Peng demonstrates how this vulnerability can be leveraged to bypass modern security mitigations in Windows Server 2025, achieving full remote code execution capabilities.
The exploit works by manipulating the licensing service to load a remote DLL, allowing attackers to execute arbitrary shellcode within the service’s process. Although the PoC provided is a pseudocode and intentionally obfuscated to prevent abuse, it highlights the severity of the vulnerability and the potential for exploitation.
With over 170,000 Remote Desktop Licensing Services exposed to the public internet, this vulnerability’s potential impact is substantial. The vulnerability’s 0-click nature makes it particularly dangerous, as it can be exploited without any user interaction, increasing the risk of widespread attacks.
Microsoft has been informed about the exploitability of this vulnerability but initially marked it as “exploitation less likely.” Despite this, security researchers emphasize the urgency of patching affected systems to prevent potential exploitation.
“We demonstrate how a single vulnerability was exploited to bypass all mitigations and achieve a pre-authentication remote code execution (RCE) attack on Windows Server 2025, Which is considered the most secure Windows Server,” researchers added.
To mitigate the risk, organizations are urged to apply Microsoft’s latest security updates. Additionally, network administrators should consider implementing additional security measures, such as network segmentation and strict access controls, to reduce the attack surface.
The researchers behind the discovery have engaged in responsible disclosure practices, providing Microsoft with details about the vulnerability and its exploitability. They aim to raise awareness about the risks associated with the vulnerability and encourage prompt action to secure affected systems.
While Microsoft initially marked the exploitability of this vulnerability as “less likely,” the proof-of-concept (PoC) demonstrates that it can bypass modern security mitigations, even on the latest Windows Server 2025, which is designed to offer next-generation security improvements.
Currently, there are no known exploits circulating for the CVE-2024-38077 vulnerability. Microsoft has released a patch and it is crucial for users to apply this update to mitigate potential risks.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download