What is the CVE-2024-26169 vulnerability?

CVE-2024-26169 is a high-severity Windows privilege escalation vulnerability in the Windows Error Reporting Service. It has a CVSS v3.1 score of 7.8 and was fixed in the March 2024 Patch Tuesday.

Who are the attackers exploiting the CVE-2024-26169 vulnerability?

The attackers are identified as the cybercrime group Storm-1811, also known as UNC4394, who are operators of the Black Basta ransomware gang. Black Basta is believed to be linked to the now-defunct Conti cybercrime syndicate.

Has Microsoft reported any active exploitation of CVE-2024-26169?

Microsoft has not reported any active exploitation of CVE-2024-26169 on their vendor page.

What should users do to protect themselves from the CVE-2024-26169 vulnerability?

Users are advised to apply the latest Windows security updates to protect themselves from the CVE-2024-26169 vulnerability.

Attack

Windows vulnerability CVE-2024-26169 exploited by Black Basta ransomware gang

Q: How does the CVE-2024-26169 vulnerability get exploited?

Attackers exploit the vulnerability using an exploit tool that manipulates the Windows file werkernel.sys, which utilizes a null security descriptor when creating registry keys. The tool creates a registry key (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe) and sets the 'Debugger' value to a malicious executable, allowing the launch of a shell with SYSTEM privileges.

published: June 12, 2024

Take action: The patch for CVE-2024-26169. It's shameful if you still haven't patched your computer. Just run the update process, and go for a walk for an hour. It's that easy.

Learn More

The Black Basta ransomware operation is suspected of exploiting a high-severity Windows privilege escalation vulnerability, tracked as CVE-2024-26169 (CVSS v3.1: 7.8). This flaw in the Windows Error Reporting Service was fixed in the March 2024 Patch Tuesday.

Microsoft has not reported active exploitation reported on the vendor's page

Symantec reports that attackers used an exploit tool to manipulate the Windows file werkernel.sys which utilizes a null security descriptor when creating registry keys. The tool creates a registry key (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe) and sets the "Debugger" value to a malicious executable, allowing the launch of a shell with SYSTEM privileges.

Attackers are identified cybercrime group (Storm-1811, UNC4394), operators of the Black Basta gang. Black Basta is believed to be linked to the now-defunct Conti cybercrime syndicate.

Users are advised to apply the latest Windows security updates.

Windows vulnerability CVE-2024-26169 exploited by Black Basta ransomware gang

Read More
Trimble and CISA report active exploitation of their …
Critical RCE Vulnerability Exploited in Legacy D-Link DSL …
CISA warns of active exploitation of critical Sudo …
Botnet actively exploits flaws in NVRs, TP-Link routers
F5 Warns of Critical BIG-IP APM Zero-Day Exploited …