Actively exploiting a Zero-Day vulnerability in the Microsoft Management Console
Microsoft Management Console has received a patch for CVE-2024-43572, which has a severity and CVSS score of 7.8. A Remote Code Execution (RCE) vulnerability allows malicious Microsoft Saved Console (MSC) files to perform RCE on underlying devices.
MSC files are associated with the Windows Command Prompt and PowerShell environments. These files are used to store the state and content of the console window, which can include sensitive information such as command history. Microsoft has not released details on how this vulnerability was exploited; However, the security update will prevent untrusted MSC files from being opened.
Table 1. Vulnerability in Microsoft Management Console SeverityCVSS ScoreCVEDescriptionImportant7.8CVE-2024-43572 for Microsoft Management Console
Actively exploiting a Zero-Day vulnerability in the Windows MSHTML platform
Windows MSHTML has received a patch for CVE-2024-43573, which has a moderate severity and CVSS score of 6.5. This spoofing vulnerability exists in the Windows MSHTML platform, which is commonly used across Microsoft 365 and Microsoft Office products. It also affects Internet Explorer 11 and Legacy Microsoft Edge browsers on certain platforms and Windows apps.
Microsoft has not shared details of the vulnerability or the source of its disclosure. MSHTML has been targeted multiple times over the years (July 2024, May 2024, July 2023, December 2023, May 2023), making it a prime target for threat actors.
Table 2. Vulnerability in Windows MSHTML PlatformSeverityCVSS ScoreCVEDescriptionModerate6.5CVE-2024-43573Windows MSHTML
Critical vulnerabilities in Configuration Manager, Visual Studio code, and Remote Desktop Protocol Server
CVE-2024-43468 is a critical RCE vulnerability affecting Microsoft Configuration Manager and has a CVSS score of 9.8. Successful exploitation of this vulnerability allows unauthenticated attackers to execute remote code. Microsoft Configuration Manager is part of Microsoft Intune, a family of products that enables software distribution, updates, inventory, settings management, and remote control. Microsoft recommends that customers using the affected version install an update within the console for protection.
CVE-2024-43488 is a critical RCE vulnerability affecting the Visual Studio Code extension for Arduino and has a CVSS score of 8.8. The flaw stems from the lack of proper authentication for critical functions within the Arduino extension. This allows attackers to remotely execute code on affected systems through network-based attacks. As a form of mitigation, Microsoft has removed the extension from its Visual Studio Code marketplace and has been discontinued since October 1, 2024. Microsoft recommends that its customers use the Arduino IDE instead.
CVE-2024-43582 is a critical RCE vulnerability affecting the Remote Desktop Protocol server and has a CVSS score of 8.1. This allows an unauthenticated, remote attacker to execute arbitrary code at elevated levels by sending specially crafted remote procedure call (RPC) requests. Successful exploitation of this vulnerability requires that the malicious actor win a race condition. Due to the characteristics of this bug, it has the potential to self-spread (wormable) if not mitigated promptly and effectively.
Table 3. Critical Vulnerabilities in Configuration Manager, Visual Studio Code, and Remote Desktop Protocol ServerSeverityCVSS ScoreCVEDescriptionCritical9.8CVE-2024-43468 Microsoft Configuration Manager Remote Code Execution Vulnerability Critical8.8CVE-2024-43488 Visual Studio Code Extension Code Execution Vulnerability Remote for ArduinoCritical8.1CVE-20 24-43582 Remote Desktop Protocol Server remote code execution vulnerability
Tuesday dashboard patch in Falcon platform
To get a visual overview of systems affected by this month's vulnerabilities, you can use the newly available Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform under the Exposure Management > Vulnerability Management > Dashboards page. Pre-made dashboards display the latest three months of Patch Tuesday vulnerabilities.
Not all relevant vulnerabilities have patches: consider mitigation strategies
As we've learned with other high-profile vulnerabilities, such as Log4j, not all exploitable vulnerabilities can be easily patched. As with the ProxyNotShell vulnerabilities, it is extremely important to develop a response plan for how to defend your environments in the absence of a patching protocol.
Regularly reviewing your patching strategy should remain part of your program, but you should also look more holistically at your organization's approaches to cybersecurity and improve your overall security posture.
The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events daily from millions of sensors deployed in 176 countries. Watch this demo to see the Falcon platform in action.
He learns more
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposure here.
About CVSS results
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard used by CrowdStrike and many other cybersecurity organizations to assess and report the severity and characteristics of software vulnerabilities. The baseline CVSS score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating to the CVSS scores. Learn more about logging vulnerabilities in this article.
Additional resources
For more information about products in the Microsoft Extended Security Updates program, see the vendor instructions here. Learn how Falcon Exposure Management can help you detect and manage vulnerabilities and other exposures in your environments. Learn how CrowdStrike's external attack surface module, CrowdStrike® Falcon Surface™, can detect unknown, exposed and vulnerable cyber-facing assets, enabling security teams to stop adversaries in their tracks. Make prioritization painless and effective. See how CrowdStrike Falcon® Spotlight enables IT staff to improve visibility with custom filters and team dashboards. Experience the next generation of CrowdStrike antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™.
