cbcvebase.
CVE-2024-38260
published 2024-09-10

CVE-2024-38260: Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

PriorityP259high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.62%
73.1th percentile
Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

Affected

19 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2008_r2_service_pack_1>= 6.1.7601.0 < 6.1.7601.273206.1.7601.27320
microsoftwindows_server_2012
microsoftwindows_server_2012>= 6.2.9200.0 < 6.2.9200.250736.2.9200.25073
microsoftwindows_server_2012_r2>= 6.3.9600.0 < 6.3.9600.221756.3.9600.22175
microsoftwindows_server_2016< 10.0.14393.733610.0.14393.7336
microsoftwindows_server_2016>= 10.0.14393.0 < 10.0.14393.733610.0.14393.7336
microsoftwindows_server_2019< 10.0.17763.629310.0.17763.6293
microsoftwindows_server_2019>= 10.0.17763.0 < 10.0.17763.629310.0.17763.6293
microsoftwindows_server_2022< 10.0.20348.270010.0.20348.2700
microsoftwindows_server_2022>= 10.0.20348.0 < 10.0.20348.270010.0.20348.2700
microsoftwindows_server_2022_23h2< 10.0.25398.112810.0.25398.1128
msrcwindows_server_2008_r2_for_x64-based_systems_service_pack_1
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_server_2019
msrcwindows_server_2022
msrcwindows_server_2022_23h2_edition

Detection & IOCsextracted from sources · hover to see the quote

  • Any authenticated (low-privilege) attacker can trigger this RCE vulnerability in the Windows Remote Desktop Licensing Service — no admin or elevated privileges required. Detection should focus on anomalous or unexpected connections/requests to the RD Licensing Service from authenticated but non-administrative accounts.
  • Target service is Windows Remote Desktop Licensing Service. Monitor this service for unexpected remote interactions, crashes, or unusual child process spawning that may indicate exploitation attempts.
  • ·As of the advisory publication, this vulnerability has NOT been publicly disclosed or exploited in the wild, and exploitation is rated 'Less Likely' for the latest software release. No public PoC exists at this time.
  • ·Customer action is required — patching is necessary. Refer to the KB articles (e.g., KB5043050, KB5042881, KB5043051, KB5043125, KB5043138, etc.) for the relevant OS-specific patches.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.