cbcvebase.
CVE-2024-11859
published 2025-04-07

CVE-2024-11859: DLL Search Order Hijacking vulnerability potentially allowed an attacker with administrator privileges to load a malicious dynamic-link library and execute its…

PriorityP275high8.4CVSS 4.0
AVLACLATNPRLUINVCHVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.80%
75.8th percentile
DLL Search Order Hijacking vulnerability potentially allowed an attacker with administrator privileges to load a malicious dynamic-link library and execute its code.

Affected

11 ranges
VendorProductVersion rangeFixed in
eset_spol_s_r.oeset_endpoint_antivirus_for_windows<= 12.0.2038.0
eset_spol_s_r.oeset_endpoint_security_for_windows<= 12.0.2038.0
eset_spol_s_r.oeset_internet_security<= 18.0.12.0
eset_spol_s_r.oeset_mail_security_for_microsoft_exchange_server<= 11.1.10008.0
eset_spol_s_r.oeset_nod32_antivirus<= 18.0.12.0
eset_spol_s_r.oeset_safe_server<= 18.0.12.0
eset_spol_s_r.oeset_security_for_microsoft_sharepoint_server<= 11.1.15001.0
eset_spol_s_r.oeset_security_ultimate<= 18.0.12.0
eset_spol_s_r.oeset_server_security_for_windows_server<= 11.1.12005.2
eset_spol_s_r.oeset_small_business_security<= 18.0.12.0
eset_spol_s_r.oeset_smart_security_premium<= 18.0.12.0

Detection & IOCsextracted from sources · hover to see the quote

filenameversion.dll
filenameecls
filenameDBUtilDrv2.sys
otherTrojan.Win64.ToddyCat.a
otherTrojan.Win64.ToddyCat.b
otherHEUR:HackTool.Win64.EDRSandblast.a
  • Detect TCESB DLL-proxying by monitoring for version.dll loaded from non-system directories (e.g., temp or working directories) within the ecls.exe (ESET Command-line scanner) process address space.
  • Alert on HTTP GET requests to msdl.microsoft.com/download/symbols from non-developer/non-debugging hosts, as TCESB fetches kernel PDB files from the Microsoft symbol server to locate kernel structures.
  • Hunt for version.dll dropped in temp directories or alongside ecls/ecls.exe, as this is the TCESB DLL-proxying artifact observed on multiple compromised devices.
  • ·The Microsoft symbol server URL used by TCESB is a legitimate Microsoft service; detections based on this URL must be scoped to non-developer endpoints to avoid false positives.
  • ·ESET patched CVE-2024-11859 in the ecls component on January 21, 2025; detections targeting the vulnerable ecls DLL search-order behavior are only relevant for unpatched versions prior to this date.
  • ·The TCESB CSV kernel offset data matches EDRSandBlast as of August 13, 2022; newer kernel versions not in that snapshot will cause TCESB to fall back to live PDB download, which is a separate detection opportunity.

CVSS provenance

nvdv4.08.4HIGHCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.