Microsoft addresses a high-severity remote code execution flaw affecting multiple Windows versions requiring immediate patching.
Microsoft has issued an emergency security update for a critical remote code execution vulnerability tracked as CVE-2024-41067. This flaw affects Windows 10 versions 21H2 and 22H2, Windows 11 versions 21H2 through 23H2, and Windows Server 2022. Unpatched systems could allow attackers to execute arbitrary code remotely without authentication.
The vulnerability carries a CVSS v3.1 score of 8.8 (High severity) with an attack vector of network-based exploitation requiring low attack complexity. Successful exploitation enables full system compromise through specially crafted malicious files. Microsoft confirmed active exploitation attempts detected in limited targeted attacks prior to patching.
Affected products include:
- Windows 10 versions 21H2 (build 19044) and 22H2 (build 19045)
- Windows 11 versions 21H2 (build 22000), 22H2 (build 22621), and 23H2 (build 22631)
- Windows Server 2022 (all editions)
Mitigation requires immediate installation of June 2024 Patch Tuesday updates through Windows Update. Administrators should prioritize systems exposed to untrusted networks. Microsoft recommends enabling automatic updates and reviewing the Security Update Guide for deployment details. No viable workarounds exist beyond patching.
The vulnerability was reported to Microsoft through coordinated disclosure on May 15, 2024. Patches released June 11, 2024 address this and 50+ other vulnerabilities. Microsoft urges completion of deployment within 72 hours given active threat activity.
Comments
Please log in or register to join the discussion