CVE-2024-49039

HIGH KEV RANSOMWARE

Windows 10 1507-22H2 and Windows 11 22H2 - Elevation of Privilege via Task Scheduler

Title source: llm

Exploitation Summary

CVE-2024-49039 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 12, 2024, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including je5442804.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2024-49039, targeting a vulnerability in WPTaskScheduler.dll (Task Scheduler component) that allows bypassing restricted token sandboxes and elevating to Medium Integrity. The exploit leverages RPC interface manipulation and includes reflective DLL injection capabilities.

Description

Windows Task Scheduler Elevation of Privilege Vulnerability

Exploits (1)

nomisec WORKING POC 135 stars

by je5442804 · local

https://github.com/je5442804/WPTaskScheduler_CVE-2024-49039

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2024-49039, targeting a vulnerability in WPTaskScheduler.dll (Task Scheduler component) that allows bypassing restricted token sandboxes and elevating to Medium Integrity. The exploit leverages RPC interface manipulation and includes reflective DLL injection capabilities.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows Task Scheduler (WPTaskScheduler.dll) on Windows 10/11 and Server 2016/2019

No auth needed

Prerequisites: Access to a restricted token process (e.g., Chrome renderer, GPU process) · Windows 10/11 or Server 2016/2019 with vulnerable WPTaskScheduler.dll

MITRE ATT&CK

T1055 - Process Injection T1548.002 - Bypass User Account Control T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-49039

Patch, Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49039

Scores

CVSS v3 8.8

EPSS 0.6502

EPSS Percentile 98.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2024-11-12

VulnCheck KEV 2024-11-12

InTheWild.io 2024-11-12

ENISA EUVD EUVD-2024-43910

Ransomware Use Confirmed

CWE

CWE-287

Status published

Products (13)

microsoft/windows_10_1507 < 10.0.10240.20826 (2 CPE variants)

microsoft/windows_10_1607 < 10.0.14393.7515 (2 CPE variants)

microsoft/windows_10_1809 < 10.0.17763.6532 (2 CPE variants)

microsoft/windows_10_21h2 < 10.0.19044.5131 (3 CPE variants)

microsoft/windows_10_22h2 < 10.0.19045.5131 (3 CPE variants)

microsoft/windows_11_22h2 < 10.0.22621.4460 (2 CPE variants)

microsoft/windows_11_23h2 < 10.0.22631.4460 (2 CPE variants)

microsoft/windows_11_24h2 < 10.0.26100.2314 (2 CPE variants)

microsoft/windows_server_2016 < 10.0.14393.7515

microsoft/windows_server_2019 < 10.0.17763.6532

... and 3 more

Published Nov 12, 2024

KEV Added Nov 12, 2024

Tracked Since Feb 18, 2026