CVE-2024-51324
published 2025-02-11CVE-2024-51324: An issue in the BdApiUtil driver of Baidu Antivirus v5.2.3.116083 allows attackers to terminate arbitrary process via executing a BYOVD (Bring Your Own…
PriorityP180low3.8CVSS 3.1
AVNACLPRHUINSUCLILAN
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.47%
37.1th percentile
An issue in the BdApiUtil driver of Baidu Antivirus v5.2.3.116083 allows attackers to terminate arbitrary process via executing a BYOVD (Bring Your Own Vulnerable Driver) attack.
Detection & IOCsextracted from sources · hover to see the quote
registryHKLM\SYSTEM\CurrentControlSet\Control\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f↗
commandnetsh advfirewall firewall add rule name=allow RemoteDesktop dir=in protocol=TCP localport=3389 action=allow↗
commandC:\AnyDesk.exe --install C:\Program Files (x86)\AnyDesk --start-with-win --silent --update-disabled↗
snort↗
SID 65576
snort↗
SID 65575
snort↗
SID 301358
- →Detect IOCTL 0x800024b4 sent to the \.\ BdApiUtil device — this is the specific control code used to trigger the CVE-2024-51324 kernel-level process termination primitive from user mode. ↗
- →Detect PowerShell launched with 'exec bypass' and the 'RunAs' verb (UAC bypass pattern) followed by mass service stop/disable commands — this is the pre-encryption preparation script used by the DeadLock actor. ↗
- →Detect use of SystemSettingsAdminFlows.exe with Defender-related arguments (RTP, SpynetReporting, SubmitSamplesConsent, DisableEnhancedNotifications) — used as a living-off-the-land binary to disable Windows Defender without direct registry writes. ↗
- →Monitor for AnyDesk silent installation with --update-disabled and --start-with-win flags from an unusual parent process or path — used by the actor to establish persistent remote access one day before encryption. ↗
- →Detect the DeadLock ransomware configuration delimiter pattern: pipe-separated 8,888-byte embedded config block with the hardcoded seed string '10581067105910871088211520721049106420921068109010791065111492178193'. ↗
- →Alert on reg add setting fDenyTSConnections to 0 combined with a netsh firewall rule opening TCP/3389 in the same session — this is the actor's RDP enablement sequence. ↗
- ·The DeadLock ransomware embeds an 8,888-byte pipe-delimited configuration block directly in the binary covering crypto seed, timing, kill lists, excluded extensions/paths, campaign ID, ransom note, and visual data — defenders should parse this structure when analyzing samples. ↗
- ·The ransomware uses time-based cryptographic keys derived from timing parameters (1000, 0055242988) in the config — static key extraction may be insufficient; timing context at execution is required for decryption. ↗
- ·The actor disabled several commands in the PowerShell script (network share deletion, alternative process termination methods) — these may be re-enabled in future variants, so defenders should not assume the observed script represents the full capability. ↗
- ·DeadLock does not operate a data leak site; victim contact is exclusively via Session messenger — traditional dark-web leak site monitoring will not provide early warning for this actor. ↗
CVSS provenance
nvdv3.13.8LOWCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
vulncheck3.8LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-prq3-r4gw-34vp: An issue in the BdApiUtil driver of Baidu Antivirus v5
ghsa_unreviewed·2025-02-12
CVE-2024-51324 [LOW] CWE-269 GHSA-prq3-r4gw-34vp: An issue in the BdApiUtil driver of Baidu Antivirus v5
An issue in the BdApiUtil driver of Baidu Antivirus v5.2.3.116083 allows attackers to terminate arbitrary process via executing a BYOVD (Bring Your Own Vulnerable Driver) attack.
VulnCheck
Improper Privilege Management
vulncheck·2024·CVSS 3.8
CVE-2024-51324 [LOW] Improper Privilege Management
Improper Privilege Management
An issue in the BdApiUtil driver of Baidu Antivirus v5.2.3.116083 allows attackers to terminate arbitrary process via executing a BYOVD (Bring Your Own Vulnerable Driver) attack.
Affected: Baidu Baidu Antivirus
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://news.sophos.com/en-us/2025/09/17/gold-salems-warlock-operation-joins-busy-ransomware-landscape/; https://www.sophos.com/en-us/blog/gold-salems-warlock-operation-joins-busy-ransomware-landscape; https://blog.talosintelligence.com/byovd-loader-deadlock-ransomware/; https://medium.com/s2wlab-threat-intelligence/ransomware-landsca
No detection rules found.
No public exploits indexed.
Talos
One newsletter to rule them all
blogs_talos·2025-12-11
One newsletter to rule them all
Welcome to this week’s edition of the Threat Source newsletter.
“It’s a dangerous business, going out your door. You step onto the road, and if you don’t keep your feet, there’s no knowing where you might be swept off to.” — Bilbo Baggins
It’s almost the end of the year, which feels like the perfect time to start an epic quest.
So, Middle-earth. I’m walking across it. Not with the intention of destroying the One Ring, but to increase my daily step count in the nerdiest way possible.
As I suspect is the origin story for most quests these days, my journey began by downloading an app.
It’s called “The Conqueror.” There are many different distances you can choose from, but I chose Middle-earth because I’m that person who watched all the behind-the-scenes footage from Peter Jackson’s Lord
Talos
One newsletter to rule them all
blogs_talos·2025-12-11
One newsletter to rule them all
## One newsletter to rule them all
Welcome to this week’s edition of the Threat Source newsletter.
“It’s a dangerous business, going out your door. You step onto the road, and if you don’t keep your feet, there’s no knowing where you might be swept off to.” — Bilbo Baggins
It’s almost the end of the year, which feels like the perfect time to start an epic quest.
So, Middle-earth. I’m walking across it. Not with the intention of destroying the One Ring, but to increase my daily step count in the nerdiest way possible.
As I suspect is the origin story for most quests these days, my journey began by downloading an app.
It’s called “The Conqueror.” There are many different distances you can choose from, but I chose Middle-earth because I’m that person who watched all the behind-the-scene
Talos
New BYOVD loader behind DeadLock ransomware attack
blogs_talos·2025-12-09·CVSS 3.8
CVE-2024-51324 [LOW] New BYOVD loader behind DeadLock ransomware attack
- While tracking ransomware activities, Cisco Talos uncovered new tactics, techniques, and procedures (TTPs) linked to a financially motivated threat actor targeting victims with DeadLock ransomware.
- The actor used the Bring Your Own Vulnerable Driver (BYOVD) technique with a previously unknown loader to exploit the Baidu Antivirus driver vulnerability (CVE-2024-51324), enabling the termination of endpoint detection and response (EDR) processes.
- The actor ran a PowerShell script that bypasses User Account Control (UAC), disables Windows Defender, terminates various security, backup, and database services, and deletes all volume shadow copies to prevent system recovery.
- The DeadLock ransomware targets Windows machines with a custom stream cipher encryption algorithm that uses time-bas
Talos
New BYOVD loader behind DeadLock ransomware attack
blogs_talos·2025-12-09·CVSS 3.8
CVE-2024-51324 [LOW] New BYOVD loader behind DeadLock ransomware attack
## New BYOVD loader behind DeadLock ransomware attack
While tracking ransomware activities, Cisco Talos uncovered new tactics, techniques, and procedures (TTPs) linked to a financially motivated threat actor targeting victims with DeadLock ransomware.
The actor used the Bring Your Own Vulnerable Driver (BYOVD) technique with a previously unknown loader to exploit the Baidu Antivirus driver vulnerability ( CVE-2024-51324 ), enabling the termination of endpoint detection and response (EDR) processes.
The actor ran a PowerShell script that bypasses User Account Control (UAC), disables Windows Defender, terminates various security, backup, and database services, and deletes all volume shadow copies to prevent system recovery.
The DeadLock ransomware targets Windows machines with a custom s
2025-02-11
Published
Exploited in the wild