On 10 December 2024, Microsoft released their December 2024 security update, which included patches for 72 newly disclosed vulnerabilities. Among these vulnerabilities, Arctic Wolf has highlighted 16 in this security bulletin affecting Microsoft Windows, including:
- 15 Remote Code Execution (RCE) vulnerabilities rated as Critical by Microsoft.
- 1 vulnerability actively exploited in the wild.
Vulnerabilities
| Vulnerability | CVSS | Description | Exploited? |
| CVE-2024-49112 | 9.8 | Windows Lightweight Directory Access Protocol (LDAP) RCE Vulnerability – An unauthenticated attacker can exploit this vulnerability by sending a specially crafted set of LDAP calls to gain code execution within the context of the LDAP service. | No |
| CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128, CVE-2024-49132 | 8.1 | Windows Remote Desktop Services RCE Vulnerability – Exploiting one of these vulnerabilities requires triggering a race condition on a Remote Desktop Gateway system to create a use-after-free scenario, allowing arbitrary code execution. | No |
| CVE-2024-49127, CVE-2024-49124 | 8.1 | Windows Lightweight Directory Access Protocol (LDAP) RCE Vulnerability – An unauthenticated attacker could exploit this vulnerability by triggering a race condition with a specially crafted request, potentially executing code in the context of the SYSTEM account. | No |
| CVE-2024-49118, CVE-2024-49122 | 8.1 | Microsoft Message Queuing (MSMQ) RCE Vulnerability – To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet, triggering a race condition that could lead to RCE on the server. | No |
| CVE-2024-49126 | 8.1 | Windows Local Security Authority Subsystem Service (LSASS) RCE Vulnerability – An attacker can exploit this vulnerability by triggering a race condition through a network call, targeting the server accounts for remote code execution in the context of the server’s account, with no privileges or user interaction required. | No |
| CVE-2024-49138 | 7.8 | Windows Common Log File System Driver Elevation of Privilege Vulnerability – A local attacker can exploit this vulnerability to gain SYSTEM privileges. | Yes |
NTLM Exposure Vulnerability
On December 5, 2024, security researchers disclosed a vulnerability that could allow an attacker to obtain a user’s NT LAN Manager (NTLM) credentials by having the user view a malicious file in Windows Explorer. According to the researchers, the vulnerability impacts all Windows Workstation and Server versions starting with Windows 7 and Server 2008 R2 all the way through Windows 11 v24H2 and Server 2022. Microsoft has been notified of the vulnerability, but no official patch is currently available, and a Common Vulnerabilities and Exposures (CVE) identifier has not been assigned. This vulnerability was not addressed in this month’s Patch Tuesday security update, however, Microsoft has stated it will be fixed in April 2025. The researchers have announced they are withholding technical details until users can apply a patch.
At this time, there is no indication of an immediate threat from this vulnerability, as there is no publicly available proof of concept exploit and no active exploitation observed.
Recommendation
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | CVE | Update Article |
| Windows 10 for 32-bit Systems and x64-based Systems | CVE-2024-49112, CVE-2024-49118, CVE-2024-49122, CVE-2024-49124, CVE-2024-49126, CVE-2024-49127, CVE-2024-49138 | 5048703 |
| Windows 10 Version 1607 for 32-bit Systems and x64-based Systems | CVE-2024-49112, CVE-2024-49118, CVE-2024-49122, CVE-2024-49124, CVE-2024-49126, CVE-2024-49127, CVE-2024-49138 | 5048671 |
| Windows 10 Version 1809 for 32-bit Systems and x64-based Systems | CVE-2024-49112, CVE-2024-49118, CVE-2024-49122, CVE-2024-49123, CVE-2024-49124, CVE-2024-49126, CVE-2024-49127, CVE-2024-49132, CVE-2024-49138 | 5048661 |
| Windows 10 Version 21H2/22H2 for 32-bit Systems, ARM64-based Systems, and x64-based Systems | CVE-2024-49112, CVE-2024-49118, CVE-2024-49122, CVE-2024-49123, CVE-2024-49124, CVE-2024-49126, CVE-2024-49127, CVE-2024-49132, CVE-2024-49138 | 5048652 |
| Windows 11 Version 22H2/23H2 for ARM64-based Systems, and x64-based Systems | CVE-2024-49112, CVE-2024-49118, CVE-2024-49122, CVE-2024-49123, CVE-2024-49124, CVE-2024-49126, CVE-2024-49127, CVE-2024-49132, CVE-2024-49138 | 5048685 |
| Windows 11 Version 24H2 for ARM64-based Systems, and x64-based Systems | CVE-2024-49112, CVE-2024-49118, CVE-2024-49122, CVE-2024-49123, CVE-2024-49124, CVE-2024-49126, CVE-2024-49127, CVE-2024-49132, CVE-2024-49138 | 5048667, 5048794 |
| Windows Server 2008 for 32-bit Systems, and x64-based Systems Service Pack 2 | CVE-2024-49112, CVE-2024-49118, CVE-2024-49122, CVE-2024-49124, CVE-2024-49126, CVE-2024-49127, CVE-2024-49138 | 5048710, 5048744 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | CVE-2024-49112, CVE-2024-49118, CVE-2024-49122, CVE-2024-49124, CVE-2024-49126, CVE-2024-49127, CVE-2024-49138 | 5048695, 5048676 |
| Windows Server 2012 | CVE-2024-49112, CVE-2024-49118, CVE-2024-49120, CVE-2024-49122, CVE-2024-49124, CVE-2024-49126, CVE-2024-49127, CVE-2024-49128, CVE-2024-49138 | 5048699 |
| Windows Server 2012 R2 | CVE-2024-49112, CVE-2024-49118, CVE-2024-49120, CVE-2024-49122, CVE-2024-49124, CVE-2024-49126, CVE-2024-49127, CVE-2024-49128, CVE-2024-49138 | 5048735 |
| Windows Server 2016 | CVE-2024-49106, CVE-2024-49108, CVE-2024-49112, CVE-2024-49115, CVE-2024-49116, CVE-2024-49118, CVE-2024-49119, CVE-2024-49120, CVE-2024-49122, CVE-2024-49124, CVE-2024-49126, CVE-2024-49127, CVE-2024-49128, CVE-2024-49138 | 5048671 |
| Windows Server 2019 | CVE-2024-49106, CVE-2024-49108, CVE-2024-49112, CVE-2024-49115, CVE-2024-49116, CVE-2024-49118, CVE-2024-49119, CVE-2024-49120, CVE-2024-49122, CVE-2024-49123, CVE-2024-49124, CVE-2024-49126, CVE-2024-49127, CVE-2024-49128, CVE-2024-49132, CVE-2024-49138 | 5048661 |
| Windows Server 2022 | CVE-2024-49106, CVE-2024-49108, CVE-2024-49112, CVE-2024-49115, CVE-2024-49116, CVE-2024-49118, CVE-2024-49119, CVE-2024-49120, CVE-2024-49122, CVE-2024-49123, CVE-2024-49124, CVE-2024-49126, CVE-2024-49127, CVE-2024-49128, CVE-2024-49132, CVE-2024-49138 | 5048654, 5048800 |
| Windows Server 2022, 23H2 Edition | CVE-2024-49106, CVE-2024-49108, CVE-2024-49112, CVE-2024-49115, CVE-2024-49116, CVE-2024-49118, CVE-2024-49119, CVE-2024-49120, CVE-2024-49122, CVE-2024-49123, CVE-2024-49124, CVE-2024-49126, CVE-2024-49127, CVE-2024-49128, CVE-2024-49132, CVE-2024-49138 | 5048653 |
| Windows Server 2025 | CVE-2024-49106, CVE-2024-49108, CVE-2024-49112, CVE-2024-49115, CVE-2024-49116, CVE-2024-49118, CVE-2024-49119, CVE-2024-49120, CVE-2024-49122, CVE-2024-49123, CVE-2024-49124, CVE-2024-49126, CVE-2024-49127, CVE-2024-49128, CVE-2024-49132, CVE-2024-49138 | 5048667, 5048794 |
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
References
