CVE-2024-30051

HIGH KEV RANSOMWARE

Windows DWM Core Library - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-30051 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 14, 2024, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including fortra, devianntsec.

AI-analyzed exploit summary The repository contains a functional exploit PoC for CVE-2024-30051, targeting a vulnerability in Fortra's software. The code demonstrates memory manipulation and hooking techniques to achieve arbitrary code execution, likely leveraging a use-after-free or similar memory corruption issue.

Description

Windows DWM Core Library Elevation of Privilege Vulnerability

Exploits (3)

nomisec WORKING POC 125 stars
by fortra · local
https://github.com/fortra/CVE-2024-30051

The repository contains a functional exploit PoC for CVE-2024-30051, targeting a vulnerability in Fortra's software. The code demonstrates memory manipulation and hooking techniques to achieve arbitrary code execution, likely leveraging a use-after-free or similar memory corruption issue.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Fortra software (specific version not specified)
No auth needed
Prerequisites: Access to the target system · Ability to execute arbitrary code on the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by devianntsec · poc
https://github.com/devianntsec/CVE-2024-30051

This repository contains a functional exploit for CVE-2024-30051, a heap-based buffer overflow in Windows Desktop Window Manager (dwmcore.dll) leading to local privilege escalation to SYSTEM integrity level. The exploit includes detailed technical analysis, empirical heap spray data, and a complete exploitation chain.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows 11 22H2 (10.0.22621.3447) with dwmcore.dll
No auth needed
Prerequisites: Windows 11 22H2 (unpatched, no KB5037771) · Visual Studio 2022 with C++ Desktop workload · VM with snapshot for reproducible heap state
devstral-2 · analyzed May 14, 2026 Full analysis →
nomisec WORKING POC
by devianntsec · poc
https://github.com/devianntsec/CVE-2024-30051-DWMHeapOverflow-Masters-Thesis

This repository contains a functional exploit for CVE-2024-30051, a heap-based buffer overflow in Windows Desktop Window Manager (dwmcore.dll) leading to local privilege escalation (LPE) to SYSTEM integrity level. The exploit includes detailed technical analysis, heap spray techniques, and a custom payload DLL.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows 11 22H2 (build 22621.3447) with unpatched dwmcore.dll
No auth needed
Prerequisites: Windows 11 22H2 (build 22621.3447) without KB5037771 patch · Visual Studio 2022 for building the exploit · DLL placed at C:\Users\Public\Documents\s11.dll
devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.8
EPSS 0.0569
EPSS Percentile 92.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2024-05-14
VulnCheck KEV 2024-05-14
InTheWild.io 2024-05-14
ENISA EUVD EUVD-2024-27989
Ransomware Use Confirmed
CWE
CWE-122 CWE-787
Status published
Products (11)
microsoft/windows_10_1507 < 10.0.10240.20651 (2 CPE variants)
microsoft/windows_10_1607 < 10.0.14393.6981 (2 CPE variants)
microsoft/windows_10_1809 < 10.0.17763.5820
microsoft/windows_10_21h2 < 10.0.19044.4412
microsoft/windows_10_22h2 < 10.0.19045.4412
microsoft/windows_11_21h2 < 10.0.22000.2960
microsoft/windows_11_22h2 < 10.0.22621.3593
microsoft/windows_11_23h2 < 10.0.22631.3593
microsoft/windows_server_2016 < 10.0.14393.6981
microsoft/windows_server_2019 < 10.0.17763.5820
... and 1 more
Published May 14, 2024
KEV Added May 14, 2024
Tracked Since Feb 18, 2026