Microsoft said 'no known exploitation.' The exploit may have been three months old.

Microsoft patched CVE-2024-26169 on March 12, 2024, and the advisory carried the reassuring boilerplate: not aware of exploitation. Then Symantec’s threat hunters reported finding a Black Basta exploit tool for this exact bug with a compilation timestamp of February 27, 2024, and a second sample stamped December 18, 2023. That’s 14 to 85 days before the fix existed.

The honest caveat first, because it matters: PE compilation timestamps are trivially editable, so they are not proof. Symantec said as much. What they are is a plausible, evidence-backed indication that a major ransomware operation had a working privilege-escalation exploit in hand before the vulnerability was public, while the vendor’s status line read “no known exploitation.” Treat that as the operating assumption it deserves to be, not a certainty, and the conclusion still holds: “we’re not aware of attacks” is a statement about Microsoft’s visibility on patch day, not a guarantee about what’s in a ransomware crew’s toolkit.

What the bug is and how it’s abused

CVE-2024-26169 is an improper-privilege-management flaw (CWE-269) in the Windows Error Reporting Service, CVSS 7.8, local vector. A user-level attacker uses it to become SYSTEM. It affects essentially the whole supported Windows line at the time, Windows 10 from 1507 onward, Windows 11 through 23H2, and Windows Server 2008 through 2022.

The mechanism is worth knowing because it tells you what to watch for. The kernel component werkernel.sys created certain registry keys with a null security descriptor, meaning a low-privileged user could write where they shouldn’t. The exploit used that to set a Debugger value under the Image File Execution Options (IFEO) key for WerFault.exe. IFEO is a legitimate Windows debugging feature: set a Debugger value for a program and Windows launches that “debugger” instead whenever the program runs. Point it at a shell, trigger WerFault.exe, and the shell launches with SYSTEM rights. CISA added the bug to the Known Exploited Vulnerabilities catalog on June 13, 2024, flagged for ransomware use; Black Basta (also tracked as Cardinal, Storm-1811, and UNC4393) and Play have both been tied to it.

The detection that outlives the CVE

Here’s why this one is worth more than a patch ticket. The IFEO Debugger trick is decades old and not specific to CVE-2024-26169. Attackers use it for privilege escalation and for persistence, across many different initial bugs. So while you should absolutely patch this CVE, the durable win is monitoring the technique itself, which catches a whole class of activity regardless of which vulnerability got them the write primitive.

• Alert on creation or modification of Debugger values under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*. A Debugger entry pointing WerFault.exe, or any common system binary, at cmd.exe, powershell.exe, or an unexpected path is high-fidelity malicious.
• Watch for WerFault.exe spawning a shell or unusual child process. WerFault is a crash-reporting helper; it has no business launching command interpreters.
• Treat any unexpected SYSTEM-context shell whose parent chain runs through Windows Error Reporting as an incident, not noise.

These detections would have fired on this exploit and will fire on the next tool that reaches for the same well-worn technique. That’s a better return than a signature for one CVE.

What to do

• Apply the March 2024 cumulative update across the fleet, workstations included. This is a local privilege-escalation bug, so the machines that matter are the ones where attackers land first, which are usually user endpoints, not just servers. There’s no “doesn’t apply to us” exception given the breadth of affected versions.
• Stand up the IFEO Debugger monitoring above if you don’t already have it. It’s cheap, it’s durable, and it pays off well beyond this CVE.
• Don’t over-trust “no known exploitation” in vendor advisories for privilege-escalation bugs. That line reflects the vendor’s telemetry at publication. For EoP flaws in particular, exploit tooling circulates inside ransomware operations and isn’t always visible to the vendor, so prioritize EoP patches on their merits rather than discounting them because nobody’s reported attacks yet.
• Patch fast, because the window may already be open. If a capable crew really did hold this for weeks before the fix, then every day an unpatched endpoint sat after March 12 was a day the door was both known and open. You can’t change how long they had it; you can change how long you leave it.

The reframe is about what an advisory’s exploitation status actually tells you. “Not aware of exploitation” is a present-tense report on the defender’s side of the glass. It says nothing reliable about the offense, and for privilege escalation, the offense is frequently ahead. So patch EoP bugs like they’re already in use, and build the detections that catch the technique even when you lose the race to patch. We read the KEV escalation entries with that assumption baked in, because by the time a bug earns its catalog listing, somebody has usually been using it for a while.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2024-26169 — 2024-03-12
• Microsoft MSRC: CVE-2024-26169 — 2024-03-12
• SecurityWeek: Ransomware group may have exploited Windows vulnerability as zero-day — 2024-06
• Symantec/Security.com: Black Basta ransomware zero-day — 2024-06
• BleepingComputer: Black Basta ransomware gang linked to Windows zero-day attacks — 2024-06