Exploit

Security Advisory

Zero-Day Vulnerability in Windows (CVE-2024-49138): PoC Released, Exploited in the Wild

Summary

OEM

Microsoft

Severity

Critical

CVSS Score

7.8

CVE

CVE-2024-49138

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Publicly POC Available

Yes


Overview

The vulnerability CVE-2024-49138, affecting the Windows Common Log File System (CLFS) driver, enables attackers to gain SYSTEM privileges via a heap-based buffer overflow. Security researcher MrAle_98 published a proof-of-concept (PoC) exploit, increasing its potential misuse.

Vulnerability Name

CVE ID

Product Affected

Severity

CLFS Privilege Escalation

CVE-2024-49138

Microsoft Windows

High

Technical Summary

CVE-2024-49138 is a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) driver, allowing attackers to escalate privileges to SYSTEM level. It affects a wide range of Windows systems, including the latest versions, such as Windows 11 23H2. Initially discovered by CrowdStrike’s Advanced Research Team, Microsoft confirmed active exploitation prior to its December 2024 patch release. Security researcher MrAle_98 published a proof-of-concept exploit on GitHub, increasing the likelihood of threat actor replication and exploitation.

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-49138

Windows 10, Windows 11, Windows Server 2008–2025

Heap buffer overflow in CLFS driver enabling SYSTEM access. Exploited in the wild and PoC publicly released.

Enables attackers to elevate their privileges to SYSTEM level, granting them complete control over an affected device.

Remediations

  1. Update Systems: Apply Microsoft’s December 2024 patches without delay.
  2. Monitor Systems: Be alert for unusual privilege escalations or indicators of compromise.
  3. Limit Access: Implement robust access controls and harden systems.

Conclusion:

The public release of a proof-of-concept exploit heightens risks, making immediate patching essential. Organizations must prioritize updates, monitor for exploitation, and implement strict access controls.

References

Security Advisory

GitLab Releases Patch to Fix Critical and High-Severity Vulnerabilities 

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities.

Summary 

OEM  Gitlab 
Severity  High 
CVEs  CVE-2024-5655, CVE-2024-6385, CVE-2024-6678, CVE-2024-8970, CVE-2025-0194, CVE-2024-6324, CVE-2024-12431, CVE-2024-13041 
Exploited in Wild  No 
Patch/Remediation Available  Yes 
Advisory Version  1.0 

Overview 

The vulnerabilities could potentially impact unauthorized access, data manipulation, and service disruption. These have been disclosed through GitLab’s HackerOne bug bounty program. Latest Versions 17.7.1, 17.6.3, and 17.5.5 are now available for immediate download and upgrade to address these issues. 

Vulnerability Name  CVE ID  Product Affected  Severity 
Import Functionality Vulnerabilities  CVE-2024-6385  GitLab CE/EE  Critical 
Import Functionality Vulnerabilities   CVE-2024-5655   GitLab CE/EE  High 
Import Functionality Vulnerabilities  CVE-2024-6678  GitLab CE/EE  High 
Import Functionality Vulnerabilities  CVE-2024-8970  GitLab CE/EE  High 
Access Token Exposure in Logs  CVE-2025-0194  GitLab CE/EE  Medium 
Cyclic Reference of Epics Leading to DoS  CVE-2024-6324  GitLab CE/EE  Medium 
Unauthorized Manipulation of Issue Status  CVE-2024-12431  GitLab CE/EE  Medium 
Instance SAML Bypass  CVE-2024-13041  GitLab CE/EE  Medium 

Technical Summary 

This update addresses several significant vulnerabilities identified in GitLab CE/EE: 

CVE ID  System Affected  Vulnerability Details  Impact 
CVE-2024-6385     GitLab CE/EE      Vulnerability in import functionality allowing potential exploitation      Allows attackers to exploit the system.  
CVE-2024-5655 
CVE-2024-6678 
CVE-2024-8970 
CVE-2025-0194  GitLab CE/EE  Possible exposure of access tokens in logs under certain conditions.  Potential unauthorized access to sensitive resources. 
CVE-2024-6324  GitLab CE/EE  Cyclic references between epics could lead to resource exhaustion, causing a Denial of Service (DoS).  Service disruption due to resource exhaustion. 
CVE-2024-12431  GitLab CE/EE  Unauthorized users could manipulate issue statuses in public projects, potentially disrupting workflows.  Workflow disruption and compromised data integrity. 
CVE-2024-13041  GitLab CE/EE  Flaw in instance SAML configuration allowing bypass of external provider settings.  Unauthorized access to internal projects or groups. 

Key Changes to Import Functionality: 

  • Post-import mapping: This new feature allows administrators to assign imported contributions and memberships to users after the import process is complete, enhancing control and security. 
  • Email-independent mapping: The updated mapping process no longer relies on email addresses, providing greater flexibility and security when importing from instances with different email domains. 
  • User control: Users on the destination instance now have the power to accept or reject assigned contributions, adding another layer of security and preventing unauthorized access. 

Remediation

  • Upgrade GitLab Instances: All users are strongly advised to upgrade to versions 17.7.1, 17.6.3, or 17.5.5 immediately to mitigate these vulnerabilities. 
  • Disable Importers Temporarily: Until upgrades are complete, disable importers to avoid exploitation. If import functionality is essential, enable it only during the import process and disable it afterward. 
  • Adopt Updated Features: Leverage the new post-import mapping, email-independent mapping, and user control enhancements for increased security.  

Conclusion: 

The vulnerabilities addressed in this patch release highlight the importance of timely updates and proactive security measures. GitLab’s redesign of its import functionality and the prompt patch release demonstrate a commitment to user security. Upgrading to the latest patched versions and adhering to the recommended actions is critical to maintaining a secure environment.  

References: 

Image 
 
A close-up of a warning sign Description automatically generated 

Scroll to top