cbcvebase.
CVE-2024-38178
published 2024-08-13

CVE-2024-38178: Scripting Engine Memory Corruption Vulnerability Scripting Engine Memory Corruption Vulnerability

high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-09-03
Exploited in the wild
EPSS
39.46%
98.4th percentile
Scripting Engine Memory Corruption Vulnerability Scripting Engine Memory Corruption Vulnerability

Affected

28 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10_version_1507>= 10.0.10240.0 < 10.0.10240.2075110.0.10240.20751
microsoftwindows_10_version_1607>= 10.0.14393.0 < 10.0.14393.725910.0.14393.7259
microsoftwindows_10_version_1809>= 10.0.17763.0 < 10.0.17763.618910.0.17763.6189
microsoftwindows_10_version_21h2>= 10.0.19043.0 < 10.0.19044.478010.0.19044.4780
microsoftwindows_10_version_22h2>= 10.0.19045.0 < 10.0.19045.478010.0.19045.4780
microsoftwindows_11_version_21h2>= 10.0.0 < 10.0.22000.314710.0.22000.3147
microsoftwindows_11_version_22h2>= 10.0.22621.0 < 10.0.22621.403710.0.22621.4037
microsoftwindows_11_version_22h3>= 10.0.22631.0 < 10.0.22631.403710.0.22631.4037
microsoftwindows_11_version_23h2>= 10.0.22631.0 < 10.0.22631.403710.0.22631.4037
microsoftwindows_11_version_24h2>= 10.0.26100.0 < 10.0.26100.145710.0.26100.1457
microsoftwindows_server_2012_r2>= 6.3.9600.0 < 6.3.9600.221346.3.9600.22134
microsoftwindows_server_2016>= 10.0.14393.0 < 10.0.14393.725910.0.14393.7259
microsoftwindows_server_2019>= 10.0.17763.0 < 10.0.17763.618910.0.17763.6189
microsoftwindows_server_2022>= 10.0.20348.0 < 10.0.20348.265510.0.20348.2655
msrcwindows_10
msrcwindows_10_version_1607
msrcwindows_10_version_1809
msrcwindows_10_version_21h2
msrcwindows_10_version_22h2
msrcwindows_11_version_21h2
msrcwindows_11_version_22h2
msrcwindows_11_version_23h2
msrcwindows_11_version_24h2
msrcwindows_server_2012_r2
msrcwindows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

filenameJScript9.dll
filenamead_toast
filenamerubyw.exe
processexplorer.exe
pathC:\Windows\system32
  • The exploit targets Internet Explorer's JScript9.dll (Chakra engine) via a malicious iframe in Toast ad notifications rendered by IE components embedded in third-party free software.
  • RokRAT payload is injected into explorer.exe in four stages; if Avast or Symantec AV is present, injection targets a random binary in C:\Windows\system32 instead — monitor for unusual child processes or injection from those paths.
  • Persistence mechanism: rubyw.exe added to Windows startup and scheduled task firing every four minutes — hunt for rubyw.exe in startup entries and scheduled tasks.
  • RokRAT exfiltrates files with extensions .doc, .mdb, .xls, .ppt, .txt, .amr (among 20 total) to a Yandex cloud instance every 30 minutes — monitor for outbound connections to Yandex cloud storage at regular 30-minute intervals.
  • The exploit is a close variant of the CVE-2022-41128 exploit with only three additional lines of code to bypass Microsoft's prior fixes — existing CVE-2022-41128 detection logic may partially apply.
  • Attack vector requires Edge in Internet Explorer Mode; monitor for Edge processes launching with IE Mode and processing externally-supplied URLs.
  • Check Point IPS signature available: 'Microsoft Scripting Engine Memory Corruption (CVE-2024-38178)' — deploy or validate this IPS rule.
  • ·Exploitation requires the target to be using Edge in Internet Explorer Mode — standard Edge or other browsers are not directly vulnerable via this attack path.
  • ·Even after Microsoft patched the flaw in August 2024, third-party software embedding outdated IE components may not adopt the patch immediately, leaving users exposed.
  • ·The attack was delivered silently via Toast ad notifications in a free software application, meaning users may be compromised without any browser interaction or awareness of IE being invoked.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
cvelistv57.5HIGH
vulncheck7.5HIGH
cisa7.5HIGH
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.