CVE-2024-21412

HIGH KEV RANSOMWARE

Internet Shortcut Files - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2024-21412 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 13, 2024, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including lsr00ter, auditor-kbfg.

AI-analyzed exploit summary This repository provides a functional proof-of-concept for CVE-2024-21412, leveraging Windows Advanced Query Syntax (AQS) and WebDAV to bypass Microsoft Defender SmartScreen. It includes a Docker-based Samba server setup and instructions for crafting a malicious payload to exploit the vulnerability.

Description

Internet Shortcut Files Security Feature Bypass Vulnerability

Exploits (2)

nomisec WORKING POC 9 stars

by lsr00ter · poc

https://github.com/lsr00ter/CVE-2024-21412_Water-Hydra

View Code ZIP pw:eip

This repository provides a functional proof-of-concept for CVE-2024-21412, leveraging Windows Advanced Query Syntax (AQS) and WebDAV to bypass Microsoft Defender SmartScreen. It includes a Docker-based Samba server setup and instructions for crafting a malicious payload to exploit the vulnerability.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (SmartScreen bypass)

No auth needed

Prerequisites: Docker environment · WebDAV server setup · Malicious payload preparation

MITRE ATT&CK

T1204.002 - Malicious File T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

patchapalooza WORKING POC

by auditor-kbfg · client-side

https://github.com/auditor-kbfg/Pentest_Training

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2024-21412, demonstrating techniques for executing arbitrary commands via CHM files and Word macros. It includes scripts for creating malicious LNK files, setting up web servers for data exfiltration, and executing payloads.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (CHM, Word Macros)

No auth needed

Prerequisites: Python for web server · CHM file execution · Word macro execution

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21412

Patch, Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21412

Scores

CVSS v3 8.1

EPSS 0.9377

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2024-02-13

VulnCheck KEV 2024-02-13

InTheWild.io 2024-02-13

ENISA EUVD EUVD-2024-19121

Ransomware Use Confirmed

CWE

CWE-693

Status published

Products (9)

microsoft/windows_10_1809 < 10.0.17763.5458

microsoft/windows_10_21h2 < 10.0.19044.4046

microsoft/windows_10_22h2 < 10.0.19045.4046

microsoft/windows_11_21h2 < 10.0.22000.2777

microsoft/windows_11_22h2 < 10.0.22621.3155

microsoft/windows_11_23h2 < 10.0.22631.3155

microsoft/windows_server_2019 < 10.0.17763.5458

microsoft/windows_server_2022 < 10.0.20348.2322

microsoft/windows_server_2022_23h2 < 10.0.25398.709

Published Feb 13, 2024

KEV Added Feb 13, 2024

Tracked Since Feb 18, 2026