The boring privilege-escalation bug is the one that finishes the job
CVE-2024-30088 is a local Windows kernel race condition. It needs an attacker who's already inside, which is exactly why it gets deprioritized. APT34 used it to turn a foothold into SYSTEM, then dropped a password filter to skim every cleartext login.
Local privilege escalation is the patch class that loses the prioritization argument every month. It can’t be exploited from the internet. It requires the attacker to already be on the box. So it sits below the unauthenticated RCEs, the perimeter bugs, the things that make headlines, and it waits for a maintenance window that may or may not come. CVE-2024-30088 is a clean example of why that ordering is a mistake. It’s a Windows kernel race condition, CVSS 7.0, local access required. The Iranian state group APT34 used it as the hinge in a real espionage campaign against Gulf critical infrastructure.
What the bug is
CVE-2024-30088 is a time-of-check to time-of-use race condition (CWE-367) in the Windows kernel, specifically in the handling around NtQueryInformationToken. Microsoft patched it on June 11, 2024. The NVD vector is AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, and that AC:H, high attack complexity, is there because winning a race is probabilistic: the attacker has to modify a resource’s state in the narrow window between the kernel checking it and using it, by timing memory mapping, thread scheduling, or APC delivery just right. When the race is won, a low-privileged local process becomes SYSTEM. It affects Windows 10, Windows 11 (21H2 through 23H2), and Windows Server 2016, 2019, and 2022, so the exposed surface is essentially the entire Windows fleet.
CISA added it to the Known Exploited Vulnerabilities catalog on October 15, 2024, with a November 5 deadline. The “high attack complexity” label is worth pausing on, because it’s the second reason this bug gets waved off: a race you can’t win reliably sounds like a lab curiosity. It isn’t, to an attacker who already has code running and can simply retry until the timing lands. Complexity that deters a smash-and-grab doesn’t deter a patient operator with a shell.
How it was actually used
Trend Micro attributed in-the-wild exploitation to Earth Simnavaz, the group more widely known as APT34 or OilRig, during a campaign against organizations in the UAE and the wider Gulf region. The sequence is the part that should reframe how you rank this bug.
APT34 didn’t lead with CVE-2024-30088. They couldn’t; it’s not an entry point. They got in through other means, then loaded a kernel exploit binary into memory using the open-source RunPE-In-Memory tool and fired it to escalate from their initial foothold to SYSTEM. With SYSTEM in hand, they registered a malicious password filter DLL. Password filters are a legitimate Windows mechanism that sees passwords in cleartext at the moment they’re set or changed, which makes a rogue one an elegant credential harvester: every login and password change on that system flows through the attacker’s code in the clear. They paired that with a backdoor that exfiltrated through the victim’s own Microsoft Exchange server and used ngrok to tunnel command-and-control traffic out past network controls.
Read the chain end to end and the escalation bug stops looking optional. Initial access gave APT34 a process. CVE-2024-30088 gave them SYSTEM. SYSTEM gave them the password filter. The password filter gave them everyone’s credentials, and from there the domain. Remove the escalation step and the intrusion stalls at “a foothold on one machine,” which is a containable incident instead of a domain compromise.
The point
Every multi-stage intrusion has a local-access stage. That’s not a special case; it’s the definition of post-exploitation. Ransomware affiliates, espionage crews, and commodity criminals all land somewhere with limited rights and then need to become SYSTEM or domain admin to do anything that matters. The privilege-escalation CVE is the reusable component that bridges that gap, and because it’s reusable, it gets carried from campaign to campaign the way APT34 carried this one as an in-memory payload.
That’s why ranking local EoP below remote RCE by reflex is a mistake. The two aren’t competing for the same slot in an attack; they’re sequential steps in the same attack. Patching the perimeter RCE and leaving the kernel EoP open means you’ve made initial access harder while leaving the part that turns a bad day into a catastrophe fully intact. The bugs that “require local access” are precisely the ones an intruder reaches for once they have it, and they always have it eventually.
What to do
- Patch the June 2024 cumulative update across the whole fleet. CVE-2024-30088 was fixed in that cycle. Because it affects every supported Windows client and server build, there’s no “this doesn’t apply to us” exception to find. Workstations matter as much as servers here, since workstations are where footholds usually start.
- Stop treating local EoP as a lower tier than remote RCE. In your triage model, weight a KEV-listed, actively-exploited escalation bug the same as an actively-exploited remote bug. They’re different links in one chain, not different priorities.
- Watch for password filter abuse. Audit
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packagesfor filter DLLs you didn’t install. A new entry there is a high-fidelity signal that someone already reached SYSTEM and is harvesting credentials, which means the escalation already happened. - Treat unexplained outbound tunnels as findings. ngrok and similar tunneling tools showing up on a server are rarely benign in an enterprise environment. They’re how data leaves after the local stages are done.
The reframe is simple and worth saying out loud in your next patch-prioritization meeting. A privilege-escalation bug isn’t a lesser bug because it can’t get an attacker in the door. It’s the bug that decides whether the attacker who’s already in stays stuck on one machine or owns the whole domain. We track the KEV escalation entries with the same weight as the remote ones, because the intruders who use them already have.
Sources
- CISA Known Exploited Vulnerabilities Catalog
- NVD CVE-2024-30088 — 2024-06-11
- Microsoft MSRC: CVE-2024-30088 — 2024-06-11
- Trend Micro: Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East — 2024-10-11
- SecurityOnline: Earth Simnavaz exploits Windows Kernel flaw CVE-2024-30088 — 2024-10
Share
Related field notes
-
Two years of Patch Tuesdays, one message: the exploited Windows bug is almost always a privilege escalation
Across 2025 and 2026, Microsoft kept fixing already-exploited Windows flaws, storage drivers, Hyper-V, the network stack, even a 20-year-old third-party modem driver. They don't each need their own post. Together they make one point about patching Windows fast.
-
A clickable link in a SYSTEM dialog is a SYSTEM shell waiting to happen
CVE-2019-1388 turned a hyperlink in the UAC certificate dialog into a path to NT AUTHORITY\SYSTEM. No exploit code, just clicks: open the cert, click 'Issued by,' and the browser launches as SYSTEM. The lesson is what any interactive element in a privileged process really is.
-
The FBI dismantled QakBot in 2023. In 2024 it was test-driving a Windows zero-day.
CVE-2024-30051 is a DWM Core Library privilege escalation to SYSTEM, used as a zero-day. Kaspersky tied it to QakBot, the botnet taken down nine months earlier, and found the exploit was already in several groups' hands before the patch.
One email, every weekday morning.
You're in. Check your inbox.