CVE-2024-20671

MEDIUM

Microsoft Defender < - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-20671. PoCs published by ig-labs.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2024-20671, demonstrating a denial-of-service (DoS) vulnerability in Windows EDR agents by registering an ALPC port before the EDR initializes, causing the EDR to crash on startup.

Description

Microsoft Defender Security Feature Bypass Vulnerability

Exploits (1)

github WORKING POC 33 stars

by ig-labs · c++poc

https://github.com/ig-labs/EDR-ALPC-Block-POC

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2024-20671, demonstrating a denial-of-service (DoS) vulnerability in Windows EDR agents by registering an ALPC port before the EDR initializes, causing the EDR to crash on startup.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Windows EDR agents (e.g., Palo Alto Networks Cortex)

No auth needed

Prerequisites: Low-privileged user access · Ability to register a startup task · System reboot

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Patch, Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20671

Scores

CVSS v3 5.5

EPSS 0.0026

EPSS Percentile 49.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-276

Status published

Products (1)

microsoft/windows_defender_antimalware_platform < 4.18.24010.12

Published Mar 12, 2024

Tracked Since Feb 18, 2026