cbcvebase.
CVE-2024-1853
published 2024-03-14

CVE-2024-1853: Zemana AntiLogger v2.74.204.664 is vulnerable to an Arbitrary Process Termination vulnerability by triggering the 0x80002048 IOCTL code of the zam64.sys and…

PriorityP185medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.20%
10.0th percentile
Zemana AntiLogger v2.74.204.664 is vulnerable to an Arbitrary Process Termination vulnerability by triggering the 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers.

Affected

1 ranges
VendorProductVersion rangeFixed in
zemenaantilogger

Detection & IOCsextracted from sources · hover to see the quote

filenamezam64.sys
filenamezamguard64.sys
other0x80002048
  • Monitor for IOCTL code 0x80002048 being sent to zam64.sys or zamguard64.sys drivers; this specific control code triggers arbitrary process termination.
  • Killer Ultra malware unpacks the vulnerable Zemana driver and creates a new Windows service at runtime; monitor for new service creation events associated with dropped driver files.
  • BlackByte drops renamed copies of zamguard64.sys using a naming convention of eight random alphanumeric characters followed by an underscore and an iterating number; monitor for driver files matching this pattern.
  • ·The CVE affects Zemana AntiLogger v2.74.204.664 specifically; other versions may or may not be vulnerable.
  • ·The Zemana zamguard driver vulnerability was a core component of the commercial Terminator EDR killer tool sold on illicit marketplaces; blocklisting the driver hash alone may be insufficient as threat actors rename the driver.

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vulncheck5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.