cbcvebase.
CVE-2024-7344
published 2025-01-14

CVE-2024-7344: Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path.

PriorityP180high8.2CVSS 3.1
AVLACLPRHUINSCCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
1.04%
59.6th percentile
Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path.

Affected

28 ranges· showing 25
VendorProductVersion rangeFixed in
ces_taiwances_neoimpact>= * < 10.1.024-2024112710.1.024-20241127
cs-grpneo_impact< 10.1.024-2024112710.1.024-20241127
greenwaregreenguard< 10.2.023-2024092710.2.023-20240927
greenware_technologiesgreenguard>= * < 10.2.023-2024092710.2.023-20240927
howyarsysreturn< 10.2.023_2024091910.2.023_20240919
howyar_technologiessysreturn>= * < 10.2.0232024091910.2.02320240919
msrcwindows_10
msrcwindows_10_version_1607
msrcwindows_10_version_1809
msrcwindows_10_version_21h2
msrcwindows_10_version_22h2
msrcwindows_11_version_22h2
msrcwindows_11_version_23h2
msrcwindows_11_version_24h2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_server_2019
msrcwindows_server_2022
msrcwindows_server_2022_23h2_edition
msrcwindows_server_2025
radixsmart_recovery< 11.2.023-2024092711.2.023-20240927
radixsmartrecovery>= * < 11.2.023-2024092711.2.023-20240927
sanfongez-back_system< 10.3.024-2024112710.3.024-20241127
sanfongsanfong_ez-back_system>= * < 10.3.024-2024112710.3.024-20241127

Detection & IOCsextracted from sources · hover to see the quote

filenamecloak.dat
path\EFI\Microsoft\Boot\config
path\EFI\Microsoft\Boot\verify
path\EFI\Microsoft\Boot\counter
path\EFI\Microsoft\Boot\bootmgfw.efi.old
path\EFI\Microsoft\Boot\cloak.dat
filenamenotpetyanew.exe
  • Detect presence of cloak.dat on the EFI System Partition; this file contains an XOR-encrypted PE payload used to bypass UEFI Secure Boot via CVE-2024-7344.
  • Monitor for creation of the anomalous files config, verify, counter, and bootmgfw.efi.old under \EFI\Microsoft\Boot\ as indicators of bootkit staging.
  • Verify that UEFI DBX revocations from Microsoft's January 2025 Patch Tuesday have been applied; unrevoked certificates allow reloader.efi to execute even with Secure Boot enabled.
  • Flag UEFI applications that load PE binaries without using the trusted LoadImage/StartImage services, as this is the core exploitation mechanism of CVE-2024-7344.
  • ·CVE-2024-7344 can be exploited even if none of the named vulnerable products are installed on the target; an attacker only needs to deploy the vulnerable reloader.efi binary.
  • ·ESET telemetry shows no active in-the-wild use of HybridPetya; it may be a proof-of-concept or early-stage tool.

CVSS provenance

nvdv3.18.2HIGHCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vulncheck8.2HIGH
vendor_redhat8.2HIGH
vendor_msrc6.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.