CVE-2024-30088

HIGH KEV RANSOMWARE

Windows Kernel - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-30088 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 15, 2024, with confirmed use in ransomware campaigns. EIP tracks 10 public exploits from researchers including exploits-forsale, tykawaii98, Zombie-Kaiser.

AI-analyzed exploit summary This repository contains a functional kernel exploit for Xbox SystemOS targeting CVE-2024-30088, leveraging a CPU side channel and race condition to achieve local privilege escalation (LPE). The exploit includes multiple payload stages and demonstrates a reverse shell execution as SYSTEM.

Description

Windows Kernel Elevation of Privilege Vulnerability

Exploits (10)

nomisec WORKING POC 512 stars
by exploits-forsale · local
https://github.com/exploits-forsale/collateral-damage

This repository contains a functional kernel exploit for Xbox SystemOS targeting CVE-2024-30088, leveraging a CPU side channel and race condition to achieve local privilege escalation (LPE). The exploit includes multiple payload stages and demonstrates a reverse shell execution as SYSTEM.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Xbox SystemOS (kernel versions 25398.4478, 25398.4908, 25398.4909)
No auth needed
Prerequisites: Access to Xbox One or Series console with vulnerable kernel version · Full-trust explorer or USB keyboard simulator for payload delivery · Network connectivity for reverse shell
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 283 stars
by tykawaii98 · local
https://github.com/tykawaii98/CVE-2024-30088

This repository contains a functional proof-of-concept exploit for CVE-2024-30088, a TOCTOU (Time-of-Check Time-of-Use) vulnerability in the Windows kernel's AuthzBasepCopyoutInternalSecurityAttributes function. The exploit leverages a race condition to achieve arbitrary address write with controlled value and size, leading to local privilege escalation (LPE).

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows Kernel (specific versions affected by CVE-2024-30088)
Auth required
Prerequisites: Local access to the system · Ability to execute code with sufficient privileges to call NtQueryInformationToken
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 40 stars
by Zombie-Kaiser · local
https://github.com/Zombie-Kaiser/CVE-2024-30088-Windows-poc

This repository contains a functional proof-of-concept exploit for CVE-2024-30088, targeting a race condition in the NtQueryInformationToken function in Windows. The exploit leverages improper lock management to escalate privileges by manipulating kernel memory structures.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows (specific versions not specified)
Auth required
Prerequisites: Local access to the target system · Ability to execute arbitrary code
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 8 stars
by NextGenPentesters · local
https://github.com/NextGenPentesters/CVE-2024-30088-

The repository contains a functional exploit for CVE-2024-30088, leveraging a TOCTOU race condition in Windows token handling to escalate privileges. The PoC uses NtQueryInformationToken to manipulate token structures and gain SYSTEM-level access via winlogon.exe.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows (specific version not specified)
Auth required
Prerequisites: Local access to a vulnerable Windows system · Ability to execute arbitrary code
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS 3 stars
by oioio-space · poc
https://github.com/oioio-space/maldev

The repository contains no actual exploit code for CVE-2024-30088. Instead, it includes generic Go development guidelines, design patterns, and C2 (Command & Control) framework components, which are unrelated to the CVE. The absence of technical details about the vulnerability and the presence of C2-related code suggest a potential lure for malicious activity.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Apr 23, 2026 Full analysis →
nomisec WORKING POC 2 stars
by repo4Chu · local
https://github.com/repo4Chu/CVE-2024-30088__Windows-TOCTOU-exploit

This repository contains a functional exploit for CVE-2024-30088, a Windows TOCTOU (Time-of-Check Time-of-Use) vulnerability. The exploit leverages a race condition to escalate privileges by manipulating token handles and spawning a SYSTEM-level process via WinRM.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows (specific version not specified)
No auth needed
Prerequisites: WinRM access · compiled binary uploaded to target · presence of winlogon.exe
devstral-2 · analyzed Apr 17, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Admin9961 · local
https://github.com/Admin9961/CVE-2024-30088

This repository contains a functional Python PoC for CVE-2024-30088, a local privilege escalation (LPE) vulnerability. The exploit leverages a race condition and handle manipulation to escalate privileges to SYSTEM by spawning a new process with elevated permissions.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows (specific version not specified)
No auth needed
Prerequisites: Local access to a vulnerable Windows system · Python environment with ctypes
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS 1 stars
by Justintroup85 · poc
https://github.com/Justintroup85/exploits-forsale-collateral-damage

The repository lacks actual exploit code and instead references external payloads and artifacts without providing technical details about CVE-2024-30088. The README is vague and does not include legitimate exploit code or analysis.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Unknown
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by FangFang-Yi · poc
https://github.com/FangFang-Yi/CVE-2024-30088

The repository contains only a README.md file with minimal content (just the CVE identifier) and no exploit code, technical details, or additional context.

Classification
Stub 100%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Jun 11, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.0
EPSS 0.6820
EPSS Percentile 99.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2024-10-15
VulnCheck KEV 2024-10-11
InTheWild.io 2024-10-15
ENISA EUVD EUVD-2024-28025
Ransomware Use Confirmed
CWE
CWE-367
Status published
Products (12)
microsoft/windows_10_1507 < 10.0.10240.20680
microsoft/windows_10_1607 < 10.0.14393.7070 (2 CPE variants)
microsoft/windows_10_1809 < 10.0.17763.5936
microsoft/windows_10_21h2 < 10.0.19044.4529
microsoft/windows_10_22h2 < 10.0.19045.4529
microsoft/windows_11_21h2 < 10.0.22000.3019
microsoft/windows_11_22h2 < 10.0.22621.3737
microsoft/windows_11_23h2 < 10.0.22631.3737
microsoft/windows_server_2016 < 10.0.14393.7070
microsoft/windows_server_2019 < 10.0.17763.5936
... and 2 more
Published Jun 11, 2024
KEV Added Oct 15, 2024
Tracked Since Feb 18, 2026