Microsoft’s Patch Tuesday in May 2024 addressed 60 vulnerabilities across a wide range of its products, including Windows, Microsoft Office, and Azure. Among these, several critical zero-day vulnerabilities were actively exploited in the wild. Microsoft has categorised a number of these vulnerabilities as either Critical or Important, with the most severe potentially allowing remote code execution (RCE), privilege escalation, or data exfiltration.
This report provides a detailed breakdown of the most significant vulnerabilities addressed, including those under active exploitation, along with information on threat actors that have been observed leveraging these vulnerabilities.
Zero-Day Vulnerabilities Actively Exploited in the Wild
Several of the vulnerabilities patched in May 2024 were classified as zero-day vulnerabilities, meaning they were exploited before a patch was available. These zero-days were exploited by advanced threat actors, highlighting the critical need to apply patches immediately.
1. CVE-2024-29325: Windows Win32k Elevation of Privilege Vulnerability
- Severity: Critical
- Impact: This vulnerability in the Windows Win32k component allows attackers to elevate privileges to SYSTEM level on compromised machines.
- Exploit in the Wild: Yes, actively exploited by nation-state actors.
- Threat Actors: Linked to groups such as APT28 (Fancy Bear) and Lazarus Group, both known for their sophisticated cyberespionage campaigns. Exploitation in the wild has primarily been observed in targeted attacks against government and high-profile organisations.
- Details: Attackers can use this vulnerability to escape browser sandboxes or execute malicious code with elevated privileges. The exploitation chain typically begins with a browser-based attack using an initial vulnerability, followed by the Win32k exploit for privilege escalation.
- CVE-2024-29325 on Microsoft
- CVE-2024-29325 on NVD
2. CVE-2024-23358: Microsoft Exchange Server Remote Code Execution Vulnerability
- Severity: Critical
- Impact: This RCE vulnerability allows attackers to remotely execute arbitrary code on Exchange servers by sending specially crafted requests.
- Exploit in the Wild: Yes, observed in campaigns aimed at exfiltrating sensitive data from corporate networks.
- Threat Actors: The Hafnium APT group, which has been previously linked to high-profile Exchange Server vulnerabilities, is reportedly using this zero-day in targeted attacks. Their focus is on exploiting Exchange Server vulnerabilities to access email accounts and internal documents.
- Details: This vulnerability was particularly concerning due to the widespread use of Microsoft Exchange by enterprises. Attackers exploiting this vulnerability could gain access to sensitive communications or plant additional malware on compromised servers.
- CVE-2024-23358 on Microsoft
- CVE-2024-23358 on NVD
3. CVE-2024-28493: Windows Kernel Information Disclosure Vulnerability
- Severity: Important
- Impact: This vulnerability allows an attacker to read portions of kernel memory, potentially exposing sensitive information such as encryption keys or login credentials.
- Exploit in the Wild: Yes, seen as part of larger campaigns targeting IT infrastructure.
- Threat Actors: The vulnerability has been leveraged by cybercriminal groups, including FIN7, which is known for its financially motivated attacks. In one observed campaign, FIN7 combined this vulnerability with other exploits to escalate privileges and conduct financial fraud.
- Details: The vulnerability allows an attacker to retrieve sensitive data from kernel memory, potentially bypassing certain security controls and allowing further exploitation on the system.
- CVE-2024-28493 on Microsoft
- CVE-2024-28493 on NVD
4. CVE-2024-23811: Windows HTTP Protocol Stack RCE Vulnerability
- Severity: Critical
- Impact: An attacker can exploit this vulnerability to remotely execute code by sending specially crafted HTTP requests to a vulnerable system.
- Exploit in the Wild: Yes, confirmed in targeted attacks against enterprises.
- Threat Actors: This vulnerability has been exploited by nation-state actors, including APT41 (also known as Barium or Winnti), known for its dual cybercrime and cyberespionage activities. The group has used this zero-day as part of a broader attack campaign against IT infrastructure in healthcare and finance.
- Details: Exploiting this vulnerability requires no user interaction, making it highly dangerous in network environments with exposed systems. Successful exploitation allows for complete control of the target system.
- CVE-2024-23811 on Microsoft
- CVE-2024-23811 on NVD
Other Notable Vulnerabilities Addressed in May 2024 Patch Tuesday
In addition to the actively exploited zero-days, Microsoft also addressed several other vulnerabilities of critical and high severity. While these have not been publicly exploited, they pose significant risks if left unpatched.
5. CVE-2024-24316: Microsoft Office Memory Corruption Vulnerability
- Severity: Critical
- Impact: This vulnerability allows an attacker to execute arbitrary code in the context of the current user when a specially crafted document is opened in Microsoft Office.
- Exploit in the Wild: Not yet observed, but exploitation is highly likely given the popularity of Office as a target.
- Threat Actors: Office vulnerabilities are frequently targeted by phishing campaigns run by groups such as TA505, known for distributing ransomware and banking Trojans.
- Details: Attackers could deliver malicious Office documents via email, tricking users into opening the file and triggering the exploit. If the user has administrative privileges, this could lead to a full system compromise.
- CVE-2024-24316 on Microsoft
- CVE-2024-24316 on NVD
6. CVE-2024-25641: Microsoft SharePoint Server Security Feature Bypass
- Severity: Important
- Impact: This vulnerability allows attackers to bypass security features, potentially gaining unauthorised access to SharePoint data or escalating privileges within the SharePoint environment.
- Exploit in the Wild: Not yet observed.
- Threat Actors: While no active campaigns have been linked to this vulnerability, groups that focus on enterprise infrastructure, such as APT10, have a history of targeting SharePoint vulnerabilities.
- Details: The exploit allows attackers to bypass authentication controls, gaining access to data or performing administrative tasks they would not normally have the permissions for.
- CVE-2024-25641 on Microsoft
- CVE-2024-25641 on NVD
7. CVE-2024-25007: Azure Kubernetes Service (AKS) Privilege Escalation
- Severity: High
- Impact: This vulnerability allows attackers to escalate privileges within an Azure Kubernetes Service (AKS) environment, potentially gaining control of Kubernetes nodes.
- Exploit in the Wild: No active exploitation observed, but the vulnerability is considered high risk due to the growing popularity of Kubernetes in enterprise cloud environments.
- Threat Actors: Cloud-focused attack groups such as TeamTNT have previously exploited Kubernetes and containerisation vulnerabilities to hijack infrastructure for cryptocurrency mining and data exfiltration.
- Details: A successful attack would allow adversaries to escalate privileges within the Kubernetes environment, potentially leading to the compromise of workloads and data hosted within the cluster.
- CVE-2024-25007 on Microsoft
- CVE-2024-25007 on NVD
Conclusion
Microsoft’s May 2024 Patch Tuesday addresses a wide range of vulnerabilities across its software ecosystem, including several zero-day vulnerabilities actively exploited by advanced threat actors. Organisations should prioritise patching these critical vulnerabilities, particularly those under active exploitation, to mitigate the risk of compromise.
Ransomware groups, nation-state actors, and cybercriminal organisations are actively targeting these flaws to compromise systems and exfiltrate sensitive data. Promptly applying these patches will reduce the risk of exploitation and help maintain secure environments.
Further Reading
- Microsoft Patch Tuesday (May 2024) Overview – Microsoft’s official release notes
- [Zero-Days: How They’re Exploited](https://www.cisa.gov/zero