CVE-2024-21111

HIGH

Oracle VM VirtualBox < 7.0.16 - Privilege Escalation via Core Component

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2024-21111. PoCs published by Milad karimi, mansk1es, x0rsys.

AI-analyzed exploit summary This exploit leverages a privilege escalation vulnerability in VirtualBox 7.0.16 by manipulating directory junctions and DosDevice symlinks to escalate privileges. It involves creating and deleting junctions, triggering the VBoxSDS service, and manipulating the Config.Msi directory.

Description

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. Note: This vulnerability applies to Windows hosts only. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Exploits (4)

exploitdb WORKING POC
by Milad karimi · localwindows
https://www.exploit-db.com/exploits/52287

This exploit leverages a privilege escalation vulnerability in VirtualBox 7.0.16 by manipulating directory junctions and DosDevice symlinks to escalate privileges. It involves creating and deleting junctions, triggering the VBoxSDS service, and manipulating the Config.Msi directory.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Oracle VirtualBox 7.0.16
No auth needed
Prerequisites: VirtualBox 7.0.16 installed on Windows · No active VMs running · Local access to the system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 216 stars
by mansk1es · poc
https://github.com/mansk1es/CVE-2024-21111

This repository contains functional exploit code for CVE-2024-21111, a local privilege escalation vulnerability in Oracle VirtualBox prior to 7.0.16. The exploit leverages symbolic link following to achieve arbitrary file deletion and movement, allowing an attacker to escalate privileges to NT AUTHORITY\SYSTEM.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Oracle VirtualBox < 7.0.16
No auth needed
Prerequisites: Local access to a vulnerable VirtualBox installation · Ability to write to C:\ProgramData\VirtualBox
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS 2 stars
by x0rsys · poc
https://github.com/x0rsys/CVE-2024-21111

The repository contains no actual exploit code, only a README pointing to external binaries built from another source. It lacks technical details about the vulnerability and instead directs users to prebuilt binaries, which is a common tactic for distributing malware or fake exploits.

Classification
Suspicious 90%
Attack Type
Lpe
Complexity
Theoretical
Reliability
Theoretical
Target: Oracle VM VirtualBox prior to 7.0.16
No auth needed
Prerequisites: Access to the target system with Oracle VM VirtualBox installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by 10cks · poc
https://github.com/10cks/CVE-2024-21111-del

This repository contains a functional exploit PoC for CVE-2024-21111, targeting VirtualBox's VBoxSDS service. The exploit leverages directory junction and symbolic link manipulation to achieve arbitrary file deletion, demonstrating a local privilege escalation (LPE) vulnerability.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Oracle VirtualBox (specific version not explicitly stated)
No auth needed
Prerequisites: VirtualBox installed · VBoxSDS service running · Local access to the system
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory
https://www.exploit-db.com/exploits/52287

Scores

CVSS v3 7.8
EPSS 0.0178
EPSS Percentile 75.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-269
Status published
Products (1)
oracle/vm_virtualbox < 7.0.16
Published Apr 16, 2024
Tracked Since Feb 18, 2026