CVE-2024-21320

MEDIUM

Windows 10/11, Server 2012-2022 - Sensitive Info Exposure via Theme Spoofing

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-21320. PoCs published by Abinesh kamal K U, sxyrxyy.

AI-analyzed exploit summary This exploit leverages a malicious Windows theme file to trigger an NTLM hash leak via SMB. The PoC generates a `.theme` file pointing to an attacker-controlled SMB server, which captures the hash when the victim opens the file.

Description

Windows Themes Spoofing Vulnerability

Exploits (2)

exploitdb WORKING POC
by Abinesh kamal K U · textremotewindows
https://www.exploit-db.com/exploits/52092

This exploit leverages a malicious Windows theme file to trigger an NTLM hash leak via SMB. The PoC generates a `.theme` file pointing to an attacker-controlled SMB server, which captures the hash when the victim opens the file.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Windows (versions affected by CVE-2024-21320)
No auth needed
Prerequisites: Responder tool installed · Attacker-controlled SMB server · Victim interaction to open the theme file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 6.5
EPSS 0.2339
EPSS Percentile 96.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-200
Status published
Products (13)
microsoft/windows_10_1507 < 10.0.10240.20402
microsoft/windows_10_1607 < 10.0.14393.6614
microsoft/windows_10_1809 < 10.0.17763.5329
microsoft/windows_10_21h2 < 10.0.19044.3930
microsoft/windows_10_22h2 < 10.0.19045.3930
microsoft/windows_11_21h2 < 10.0.22000.2713
microsoft/windows_11_22h2 < 10.0.22621.3007
microsoft/windows_11_23h2 < 10.0.22631.3007
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
... and 3 more
Published Jan 09, 2024
Tracked Since Feb 18, 2026