CVE-2024-43639
published 2024-11-12CVE-2024-43639: Windows KDC Proxy Remote Code Execution Vulnerability
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
8.75%
94.5th percentile
Windows KDC Proxy Remote Code Execution Vulnerability
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2012 | — | — |
| microsoft | windows_server_2012 | >= 6.2.9200.0 < 6.2.9200.25165 | 6.2.9200.25165 |
| microsoft | windows_server_2012_r2 | >= 6.3.9600.0 < 6.3.9600.22267 | 6.3.9600.22267 |
| microsoft | windows_server_2016 | < 10.0.14393.7515 | 10.0.14393.7515 |
| microsoft | windows_server_2016 | >= 10.0.14393.0 < 10.0.14393.7515 | 10.0.14393.7515 |
| microsoft | windows_server_2019 | < 10.0.17763.6532 | 10.0.17763.6532 |
| microsoft | windows_server_2019 | >= 10.0.17763.0 < 10.0.17763.6532 | 10.0.17763.6532 |
| microsoft | windows_server_2022 | < 10.0.20348.2849 | 10.0.20348.2849 |
| microsoft | windows_server_2022 | >= 10.0.20348.0 < 10.0.20348.2849 | 10.0.20348.2849 |
| microsoft | windows_server_2022_23h2 | < 10.0.25398.1251 | 10.0.25398.1251 |
| microsoft | windows_server_2025 | < 10.0.26100.2314 | 10.0.26100.2314 |
| microsoft | windows_server_2025 | >= 10.0.26100.0 < 10.0.26100.2314 | 10.0.26100.2314 |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
| msrc | windows_server_2022 | — | — |
| msrc | windows_server_2022_23h2_edition | — | — |
| msrc | windows_server_2025 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability only exists on servers running the KDC Proxy Server service (KPSSVC). Detection should focus on identifying hosts with KPSSVC running and exposed. ↗
- →Only Windows Servers configured as MS-KKDCP (Kerberos Key Distribution Center Proxy Protocol) servers are vulnerable — domain controllers are NOT affected. Scope detection/hunting to KKDCP proxy servers specifically. ↗
- →Attack vector is unauthenticated and remote, delivered via a specially crafted application exploiting a cryptographic protocol flaw in Windows Kerberos. Monitor KPSSVC for anomalous or malformed inbound Kerberos proxy requests from unauthenticated sources. ↗
- →KPSSVC will NOT start on-demand; if it is running, the system is actively vulnerable. Audit service state of KPSSVC (KDC Proxy Server service) across the environment as a detection/exposure check. ↗
- ·Exploitation requires KPSSVC to already be running and configured; systems without KPSSVC enabled are not exploitable, limiting the attack surface to intentionally deployed KDC Proxy servers. ↗
- ·Domain controllers running standard KDC are NOT affected — only dedicated KKDCP proxy servers are in scope, which may reduce false-positive risk when scoping detection rules. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Windows KDC Proxy Remote Code Execution Vulnerability
vendor_msrc·2024-11-12·CVSS 9.8
CVE-2024-43639 [CRITICAL] CWE-197 Windows KDC Proxy Remote Code Execution Vulnerability
Windows KDC Proxy Remote Code Execution Vulnerability
FAQ: How could an attacker exploit this vulnerability?
An unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target.
FAQ: Is KDC Proxy Server service (KPSSVC) a dependency of KKDCP?
The vulnerability only exists on the KPSSVC server. We recommend that instances of KPSSVC server be patched immediately.
Must KPSSVC be running for KKDCP to be enabled and functional?
Yes.
Will KPSSVC be started on-demand?
No. You are only vulnerable if you are already using KPSSVC in your environment. KPSSVC is an additional feature Microsoft has been providing since Windows Server 2012. If you do not have it configured in yo
GHSA
GHSA-2f2h-73pp-4p79: Windows Kerberos Remote Code Execution Vulnerability
ghsa_unreviewed·2024-11-12
CVE-2024-43639 [CRITICAL] CWE-197 GHSA-2f2h-73pp-4p79: Windows Kerberos Remote Code Execution Vulnerability
Windows Kerberos Remote Code Execution Vulnerability
No detection rules found.
No public exploits indexed.
Krebs
Microsoft Patch Tuesday, November 2024 Edition
blogs_krebs·2024-11-13·CVSS 6.5
CVE-2024-49039 [MEDIUM] Microsoft Patch Tuesday, November 2024 Edition
Microsoft today released updates to plug at least 89 security holes in its Windows operating systems and other software. November’s patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today.
The zero-day flaw tracked as CVE-2024-49039 is a bug in the Windows Task Scheduler that allows an attacker to increase their privileges on a Windows machine. Microsoft credits Google’s Threat Analysis Group with reporting the flaw.
The second bug fixed this month that is already seeing in-the-wild exploitation is CVE-2024-43451, a spoofing flaw that could reveal Net-NTLMv2 hashes, which are used for authentication in Windows environments.
Satnam Narang, senior staff research engine
Qualys
November 2024 Patch Tuesday Updates for Microsoft & Adobe | Qualys
blogs_qualys·2024-11-12·CVSS 6.5
[MEDIUM] November 2024 Patch Tuesday Updates for Microsoft & Adobe | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for November 2024
- Adobe Patches for November 2024
- Zero-day Vulnerabilities Patched in November Patch Tuesday Edition
- Critical Severity Vulnerabilities Patched in November Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- Qualys Monthly Webinar Series
Microsoft has released its November 2024 Patch Tuesday updates, targeting various vulnerabilities that could impact users and organizations worldwide. From zero-day threats to key product patches, here’s what’s crucial to apply this mont
Talos
November Patch Tuesday release contains three critical remote code execution vulnerabilities
blogs_talos·2024-11-12·CVSS 9.8
CVE-2024-43639 [CRITICAL] November Patch Tuesday release contains three critical remote code execution vulnerabilities
The Patch Tuesday for November of 2024 includes 89 vulnerabilities, including four that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”
Microsoft assessed that exploitation of the four “critical” vulnerabilities is “less likely.”
CVE-2024-43639 is a remote code execution vulnerability in Windows Kerberos that could be exploited by an attacker by creating a specially crafted application to leverage a vulnerable cryptographic protocol. While considered “critical” it was determined that exploitation is “less likely” and not been detected in the wild.
CVE-2024-43625 is a privilege escalation vulnerability in a VMSwitch driver, which is a networking component of Hyper-V. An attacker could exploit this by sending a specific series of network
Krebs
Microsoft Patch Tuesday, November 2024 Edition
blogs_krebs·2024-11-12·CVSS 6.5
CVE-2024-49039 [MEDIUM] Microsoft Patch Tuesday, November 2024 Edition
Microsoft today released updates to plug at least 89 security holes in its Windows operating systems and other software. November’s patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today.
The zero-day flaw tracked as CVE-2024-49039 is a bug in the Windows Task Scheduler that allows an attacker to increase their privileges on a Windows machine. Microsoft credits Google’s Threat Analysis Group with reporting the flaw.
The second bug fixed this month that is already seeing in-the-wild exploitation is CVE-2024-43451 , a spoofing flaw that could reveal Net-NTLMv2 hashes , which are used for authentication in Windows environments.
Satnam Narang , senior staff research eng
Bleepingcomputer
Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws
blogs_bleepingcomputer·2024-11-12·CVSS 6.5
[MEDIUM] Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws
## Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws
## Lawrence Abrams
26 Elevation of Privilege vulnerabilities
2 Security Feature Bypass vulnerabilities
52 Remote Code Execution vulnerabilities
1 Information Disclosure vulnerability
4 Denial of Service vulnerabilities
3 Spoofing vulnerabilities
This count does not include two Edge flaws that were previously fixed on November 7th.
To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5046617 and KB5046633 cumulative updates and the Windows 10 KB5046613 update .
## Four zero-days disclosed
This month's Patch Tuesday fixes four zero-days, two of which were actively exploited in attacks, and three were publicly disclosed.
Microsoft classifies a
Qualys
Microsoft and Adobe Patch Tuesday, November 2024 Security Update Review
blogs_qualys·2024-11-12·CVSS 6.5
[MEDIUM] Microsoft and Adobe Patch Tuesday, November 2024 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for November 2024
Adobe Patches for November 2024
Zero-day Vulnerabilities Patched in November Patch Tuesday Edition
Critical Severity Vulnerabilities Patched in November Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
Qualys Monthly Webinar Series
Microsoft has released its November 2024 Patch Tuesday updates, targeting various vulnerabilities that could impact users and organizations worldwide. From zero-day threats to key product patches, here’s what’s crucial to apply this month. Here’s a b
Talos
November Patch Tuesday release contains three critical remote code execution vulnerabilities
blogs_talos·2024-11-12·CVSS 9.8
CVE-2024-43639 [CRITICAL] November Patch Tuesday release contains three critical remote code execution vulnerabilities
## November Patch Tuesday release contains three critical remote code execution vulnerabilities
The Patch Tuesday for November of 2024 includes 89 vulnerabilities, including four that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”
Microsoft assessed that exploitation of the four “critical” vulnerabilities is “less likely.”
CVE-2024-43639 is a remote code execution vulnerability in Windows Kerberos that could be exploited by an attacker by creating a specially crafted application to leverage a vulnerable cryptographic protocol. While considered “critical” it was determined that exploitation is “less likely” and not been detected in the wild.
CVE-2024-43625 is a privilege escalation vulnerability in a VMSwitch driver, which is a networ
Tenable
Microsoft’s November 2024 Patch Tuesday Addresses 87 CVEs (CVE-2024-43451, CVE-2024-49039)
blogs_tenable·2024-11-12·CVSS 6.5
[MEDIUM] Microsoft’s November 2024 Patch Tuesday Addresses 87 CVEs (CVE-2024-43451, CVE-2024-49039)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Crowdstrike
November 2024 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] November 2024 Patch Tuesday: Updates and Analysis
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
2024-11-12
Published