CVE-2024-11859
published 2025-04-07CVE-2024-11859: DLL Search Order Hijacking vulnerability potentially allowed an attacker with administrator privileges to load a malicious dynamic-link library and execute its…
PriorityP275high8.4CVSS 4.0
AVLACLATNPRLUINVCHVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.80%
75.8th percentile
DLL Search Order Hijacking vulnerability potentially allowed an attacker with administrator privileges to load a malicious dynamic-link library and execute its code.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eset_spol_s_r.o | eset_endpoint_antivirus_for_windows | <= 12.0.2038.0 | — |
| eset_spol_s_r.o | eset_endpoint_security_for_windows | <= 12.0.2038.0 | — |
| eset_spol_s_r.o | eset_internet_security | <= 18.0.12.0 | — |
| eset_spol_s_r.o | eset_mail_security_for_microsoft_exchange_server | <= 11.1.10008.0 | — |
| eset_spol_s_r.o | eset_nod32_antivirus | <= 18.0.12.0 | — |
| eset_spol_s_r.o | eset_safe_server | <= 18.0.12.0 | — |
| eset_spol_s_r.o | eset_security_for_microsoft_sharepoint_server | <= 11.1.15001.0 | — |
| eset_spol_s_r.o | eset_security_ultimate | <= 18.0.12.0 | — |
| eset_spol_s_r.o | eset_server_security_for_windows_server | <= 11.1.12005.2 | — |
| eset_spol_s_r.o | eset_small_business_security | <= 18.0.12.0 | — |
| eset_spol_s_r.o | eset_smart_security_premium | <= 18.0.12.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect TCESB DLL-proxying by monitoring for version.dll loaded from non-system directories (e.g., temp or working directories) within the ecls.exe (ESET Command-line scanner) process address space. ↗
- →Alert on HTTP GET requests to msdl.microsoft.com/download/symbols from non-developer/non-debugging hosts, as TCESB fetches kernel PDB files from the Microsoft symbol server to locate kernel structures. ↗
- →Hunt for version.dll dropped in temp directories or alongside ecls/ecls.exe, as this is the TCESB DLL-proxying artifact observed on multiple compromised devices. ↗
- ·The Microsoft symbol server URL used by TCESB is a legitimate Microsoft service; detections based on this URL must be scoped to non-developer endpoints to avoid false positives. ↗
- ·ESET patched CVE-2024-11859 in the ecls component on January 21, 2025; detections targeting the vulnerable ecls DLL search-order behavior are only relevant for unpatched versions prior to this date. ↗
- ·The TCESB CSV kernel offset data matches EDRSandBlast as of August 13, 2022; newer kernel versions not in that snapshot will cause TCESB to fall back to live PDB download, which is a separate detection opportunity. ↗
CVSS provenance
nvdv4.08.4HIGHCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w85p-m37q-fvfw: DLL Search Order Hijacking vulnerability potentially allowed an attacker with administrator privileges to load a malicious dynamic-link library and ex
ghsa_unreviewed·2025-04-07
CVE-2024-11859 [MEDIUM] CWE-427 GHSA-w85p-m37q-fvfw: DLL Search Order Hijacking vulnerability potentially allowed an attacker with administrator privileges to load a malicious dynamic-link library and ex
DLL Search Order Hijacking vulnerability potentially allowed an attacker with administrator privileges to load a malicious dynamic-link library and execute its code.
VulnCheck
eset internet_security Uncontrolled Search Path Element
vulncheck·2024·CVSS 8.4
CVE-2024-11859 [HIGH] eset internet_security Uncontrolled Search Path Element
eset internet_security Uncontrolled Search Path Element
DLL Search Order Hijacking vulnerability potentially allowed an attacker with administrator privileges to load a malicious dynamic-link library and execute its code.
Affected: eset internet_security
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/; https://www.picussecurity.com/resource/blog/dissecting-toddycat-cyber-espionage-and-mitre-ttps; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025
No detection rules found.
No public exploits indexed.
Checkpoint
14th April – Threat Intelligence Report
blogs_checkpoint·2025-04-14
CVE-2024-50623 14th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 14th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 14th April, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The United States Office of the Comptroller of the Currency (OCC), an independent bureau of the Department of the Treasury, has suffered a significant security breach. Threat actors have gained access to the bureau’s email messages for a period of a year and a half. According to the agency’s disclosure, the messages included
Securelist
How ToddyCat tried to hide behind AV software
blogs_securelist·2025-04-07·CVSS 8.4
CVE-2024-11859 [HIGH] How ToddyCat tried to hide behind AV software
Table of Contents
Detection
Loading the tool
DLL proxying
CVE-2024-11859 vulnerability in ESET Command line scanner
Basic functionality
Searching for addresses in the kernel memory
Vulnerable driver
Launching the payload
Takeaways
Indicators of compromise
Malicious Files Hashes
Legitimate file for DLL proxying
Legitimate files for BYOVD
Authors
Andrey Gunkin
To hide their activity in infected systems, APT groups resort to various techniques to bypass defenses. Most of these techniques are well known and detectable by both EPP solutions and EDR threat-monitoring and response tools. For example, to hide their activity in Windows systems, cybercriminals can use kernel-level rootkits, in particular malicious drivers. However, in the latest versions of Windows, kernel-mode drive
Securelist
APT group ToddyCat exploits a vulnerability in ESET for DLL proxying
blogs_securelist·2025-04-07
APT group ToddyCat exploits a vulnerability in ESET for DLL proxying
Table of Contents
- Detection
- Loading the tool
- Basic functionality
- Takeaways
- Indicators of compromise
Authors
- Andrey Gunkin
To hide their activity in infected systems, APT groups resort to various techniques to bypass defenses. Most of these techniques are well known and detectable by both EPP solutions and EDR threat-monitoring and response tools. For example, to hide their activity in Windows systems, cybercriminals can use kernel-level rootkits, in particular malicious drivers. However, in the latest versions of Windows, kernel-mode drivers are loaded only if digitally signed by Microsoft. Attackers get round this protection mechanism by using legitimate drivers that have the right signature, but contain vulnerable functions that allow malicious actions in the context of t
2025-04-07
Published
Exploited in the wild