Exploits and vulnerabilities in Q4 2024

Q4 2024 saw fewer published exploits for Windows and Linux compared to the first three quarters. Although the number of registered vulnerabilities continued to rise, the total number of Proof of Concept (PoC) instances decreased compared to 2023. Among notable techniques in Q4, attackers leveraged undocumented RPC interfaces and targeted the Windows authentication mechanism.

Statistics on registered vulnerabilities

This section contains statistics on registered vulnerabilities. Data is sourced from the CVE portal: cve.org.

Total number of registered vulnerabilities and number of critical ones, Q4 2023 vs. Q4 2024 (download)

In Q4 2024, the trend of documenting software flaws that create vulnerabilities continued to gain momentum. The share of vulnerabilities labeled as critical was slightly higher than in Q4 2023. In general, more and more vulnerabilities are being assigned CVE identifiers through Bug Bounty programs and general software security research. Let’s also examine the number of public exploits.

Number of vulnerabilities, the share of critical ones, and those for which exploits exist, 2019–2024 (download)

As shown in the graph, the number of published exploits for vulnerabilities ended up at around 6%, which is 4 p.p. lower than in 2023. This decline may be due to vendors’ requirements not to disclose information about exploitation methods for discovered vulnerabilities and corresponding exploits—we believe researchers are increasingly encountering such requests. Thus, the main trends of 2024 were the growth in the number of registered vulnerabilities, the decrease in the number of PoCs, and the share of critical vulnerabilities remaining at 2023 levels.

Let’s examine the most popular types of vulnerabilities exploited in real attacks in 2023 and 2024.

Number of vulnerabilities by the most prevalent CWEs used in attacks on users in 2023 (download)

Number of vulnerabilities by the most prevalent CWEs used in attacks on users in 2024 (download)

As in 2023, the top three in the list are the following software issues:

• CWE-78—Improper or insufficient neutralization of command-line inputs (OS Command Injection);
• CWE-20—Improper input filtering and validation. This includes most vulnerabilities that allow attackers to take control of applications;
• CWE-787—Memory corruption vulnerabilities (Out-of-bounds Write).

These types of flaws have been known for a long time and remain actively exploited by attackers. The number of associated vulnerabilities has remained at the same level over the past two years.

Next are software flaws that are less common but no less critical. In 2024, some of the most popular CWEs included the following:

• CWE-416—Improper use of dynamic memory resources (Use After Free);
• CWE-22—Improper handling of file system path formats (Path Traversal);
• CWE-94—Improper control of code generation (Code Injection);
• CWE-502—Deserialization of untrusted data;
• CWE-843—Improper handling of data types (Type Confusion);
• CWE-79—Improper neutralization of input during web page generation (Cross-site Scripting);
• CWE-122—Heap-based Buffer Overflow.

Compared to 2023, CWE-119—associated with performing operations outside buffer bounds—was the only one to drop out of the TOP 10. However, it was replaced by a similar type, CWE-122, associated with buffer overflow—so memory corruption vulnerabilities remained on the list. This confirms that the landscape of software flaws leading to exploitable vulnerabilities has remained unchanged over the past two years.

Exploitation statistics

This section contains statistics on the use of exploits in Q4 2024. The data is based on open sources and our telemetry.

Windows and Linux vulnerability exploitation

Among the exploits detected by Kaspersky solutions for Windows, the most popular throughout 2024, including Q4, were vulnerabilities in Microsoft Office applications:

• CVE-2018-0802—Remote code execution vulnerability in the Equation Editor component;
• CVE-2017-11882—Another remote code execution vulnerability also affecting the Equation Editor;
• CVE-2017-0199—A vulnerability in Microsoft Office and WordPad that allows an attacker to take control of the system.

Following these, the most common vulnerabilities in Q4 included those in WinRAR and various Windows subsystems:

• CVE-2023-38831—A vulnerability in WinRAR related to improper handling of objects contained in an archive;
• CVE-2024-38100—A vulnerability known as Leaked Wallpaper, which allows an attacker to obtain a NetNTLM hash used in user authentication protocols;
• CVE-2024-21447—A vulnerability in improper link handling within the file system. It resides in the UserManager service and, if exploited, allows privilege escalation;
• CVE-2024-28916—A vulnerability similar to CVE-2024-21447 in the Xbox Gaming Service.

Each of the above vulnerabilities can be used to compromise the system and gain the highest possible privileges, so we recommend regularly updating the corresponding software.

Dynamics of the number of Windows users encountering exploits, Q1 2023—Q4 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

Kaspersky products for the Linux operating system triggered on exploits for the following vulnerabilities:

• CVE-2024-1086—Improper resource handling vulnerability in the nf_tables component of the kernel. Exploiting it allows privilege escalation in the system;
• CVE-2024-0582—A memory leak vulnerability in the io_uring component, which can be used to escalate privileges on the vulnerable system;
• CVE-2022-0847—A widespread vulnerability known as Dirty Pipe, allowing privilege escalation and control over running applications;
• CVE-2022-34918—Improper handling of kernel objects related to the netfilter component. Exploiting the vulnerability allows privilege escalation in the system.

Dynamics of the number of Linux users encountering exploits, Q1 2023—Q4 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

For the Linux operating system, it is critically important to keep kernel components up to date, as well as any software used.

Most common published exploits

The distribution of published exploits for vulnerabilities by platform, Q3 2024 (download)

The distribution of published exploits for vulnerabilities by platform, Q4 2024 (download)

In Q4 2024, operating systems remained the most popular category of software in terms of the number of publicly available working exploits. At the same time, the share of exploits targeting Microsoft Office tools decreased, and no exploits for SharePoint vulnerabilities were published.

The distribution of published exploits for vulnerabilities by platform, 2024 (download)

Data for 2024 shows that the overall trend of attacks on operating systems continues to grow, increasingly displacing other categories of software. Researchers and attackers are finding new operating system components that still contain potentially exploitable vulnerabilities.

Vulnerability exploitation in APT attacks

We analyzed which vulnerabilities were most commonly used in APT attacks in Q4 2024. The ranking below is based on our telemetry, research, and open sources.

TOP 10 vulnerabilities exploited in APT attacks, Q4 2024 (download)

The list of vulnerabilities commonly used in APT attacks shows changes in the software exploited by attackers. Microsoft Office applications, whose vulnerabilities were not used as much in 2023, have returned to the top ten most frequently exploited types of software. In addition, vulnerabilities for PAN-OS appeared on the list for the first time. Moreover, remote access systems and corporate data processing solutions once again appeared among the vulnerable applications. These statistics highlight the issue of delayed patch installation, which attackers quickly exploit. We strongly recommend promptly updating the software listed.

Interesting vulnerabilities

This section contains the most interesting vulnerabilities published in Q4 2024.

CVE-2024-43572—Remote code execution vulnerability in Microsoft Management Console

The Windows operating system has many useful features and mechanisms that allow users to customize it for their convenience. One such feature is the Microsoft Management Console (MMC)—an interface for running applications that contain strictly structured information. These applications are called “snap-ins.” The operating system provides a number of built-in tools for working with MMC, such as services.msc—an interface for managing services. This is an XML file that interacts with individual COM objects and allows you to set parameters for them in the management console.

According to Microsoft documentation, .msc files can be used for system administration. Attackers exploited this functionality to run commands on user systems: inside the .msc file, they specified the URI urn:schemas-microsoft-com:xslt and commands in JavaScript and VBScript. These files were distributed as email attachments.

Header of the main .msc file

CVE-2024-43451—NetNTLM hash disclosure vulnerability

This vulnerability is also related to the functionality of the Windows operating system, specifically to the NTLM authentication mechanism with the SSPI interface, which is automatically launched in all versions of the OS up to and including Windows 10. During the transmission of the NetNTLM hash, an attacker can intercept it or redirect it to another service, resulting in the compromise of the victim’s credentials. In common legitimate Windows scenarios, users frequently need to authenticate using the NTLM protocol, which may attract attackers. In 2024, we observed the active use of files of various formats with the .url extension in attacks: these files contained links to resources that triggered authentication using NTLM mechanisms.

CVE-2024-49039—Elevation of privilege vulnerability in Windows Task Scheduler

Our 2024 reports mainly included vulnerabilities that were used either solely for privilege escalation or for initial system access. However, CVE-2024-49039 stands out because it allows stealthy persistence within the system, privilege escalation, and command execution.

This vulnerability exploits an undocumented RPC endpoint on the server side, which contains interfaces with a misconfigured security descriptor, enabling privilege escalation.

In recent versions of Windows, when a scheduled task is registered, applications can run in AppContainer, which generally limits their privileges. To exploit the vulnerability, an attacker needs to create a scheduled task that, upon execution, calls the undocumented RPC endpoint. The Task Scheduler contains a vulnerable application launch algorithm, and as a result of the RPC call, the application will be relaunched without AppContainer with the privileges of a regular or system user.

Conclusion and advice

The total number of vulnerabilities registered in the Q4 2024 continues to grow compared to 2023, but the number of published exploits decreased. This may be due to the fact that software vendors have not yet released patches because of the traditional lull during the holiday period. Notably, attackers continue to invent new methods of privilege escalation, as seen in the Task Scheduler vulnerability.

To stay safe, it is essential to respond promptly to the evolving threat landscape. Also, make sure that you:

• Ensure round-the-clock monitoring of your infrastructure, paying special attention to the perimeter;
• Maintain a patch management process: promptly apply security fixes. To configure and automate vulnerability and patch management, you can use solutions like Vulnerability Assessment and Patch Management and Kaspersky Vulnerability Data Feed;
• Use reliable solutions that can detect and block malware on corporate devices, and comprehensive tools that include incident response scenarios and up-to-date cyberthreat databases.