1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability

Known Exploited Vulnerabilities CVE-2024-26169 Mappings

Windows Error Reporting Service Elevation of Privilege Vulnerability

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2024-26169 Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability primary_impact T1059 Command and Scripting Interpreter
Comments
This vulnerability is a zero-day exploit that "manipulates the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. Attackers create a registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and set the "Debugger" value to the exploit's executable pathname. This allows the exploit to start a shell with administrative privileges." This vulnerability has been exploited by the Black Basta ransomware group.
References
  1. https://www.rescana.com/post/cve-2024-26169-active-exploitation-of-windows-elevation-of-privilege-flaw
CVE-2024-26169 Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability exploitation_technique T1112 Modify Registry
Comments
This vulnerability is a zero-day exploit that "manipulates the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. Attackers create a registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and set the "Debugger" value to the exploit's executable pathname. This allows the exploit to start a shell with administrative privileges." This vulnerability has been exploited by the Black Basta ransomware group.
References
  1. https://www.rescana.com/post/cve-2024-26169-active-exploitation-of-windows-elevation-of-privilege-flaw
CVE-2024-26169 Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability exploitation_technique T1203 Exploitation for Client Execution
Comments
This vulnerability is a zero-day exploit that "manipulates the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. Attackers create a registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and set the "Debugger" value to the exploit's executable pathname. This allows the exploit to start a shell with administrative privileges." This vulnerability has been exploited by the Black Basta ransomware group.
References
  1. https://www.rescana.com/post/cve-2024-26169-active-exploitation-of-windows-elevation-of-privilege-flaw