HighCISA KEVExploited in the wildPublic exploit

Windows Task Scheduler Elevation of Privilege Vulnerability

IdentifiersCVE-2024-49039CWE-269

CVE-2024-49039 is an elevation of privilege vulnerability in Microsoft Windows Task Scheduler. Microsoft describes it as allowing a specially crafted application to elevate privileges to Medium Integrity level, and multiple reports state it can be triggered from a low-privilege AppContainer context. Supporting reporting from ESET and Google Threat Intelligence Group indicates the flaw was used as part of an exploit chain with Firefox CVE-2024-9680 to escape the browser sandbox. GTIG further reported the chain abused Windows RPC behavior associated with Task Scheduler to let an unprivileged context create and execute scheduled tasks as SYSTEM, resulting in escalation from low integrity to SYSTEM. Publicly available content does not identify the exact vulnerable function or patch-diff-confirmed root cause, but the vulnerability is consistently characterized as a Task Scheduler/RPC privilege boundary failure enabling AppContainer escape and local privilege escalation.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows code running in a restricted local context to break out of the intended privilege boundary. At minimum, Microsoft states the flaw permits elevation from a low-privilege AppContainer to Medium Integrity. Third-party reporting indicates real-world exploitation achieved escalation from low integrity to SYSTEM by abusing privileged RPC functionality and scheduled task creation/execution. In practice, this enables sandbox escape, execution outside the browser/AppContainer sandbox, and full local compromise of the affected Windows host when chained appropriately.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by minimizing execution of untrusted code in AppContainer-capable applications, hardening browser and application sandbox escape detection, restricting local task creation where operationally feasible, and monitoring for anomalous Task Scheduler and related RPC activity, especially scheduled tasks created or run as SYSTEM from low-privilege user contexts. These are compensating controls only; no complete mitigation short of patching is provided in the source material.

Remediation

Patch, then assume compromise.

Apply Microsoft's November 12, 2024 security update for CVE-2024-49039 across affected Windows systems. Because the vulnerability was reported as actively exploited in the wild and added to CISA KEV, patching should be prioritized, especially on endpoints exposed to untrusted content such as browsers, email clients, and document-handling workflows. Standard remediation is vendor patch deployment; the provided content does not include a more granular vendor workaround or configuration-only fix.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app

WPTaskScheduler_CVE-2024-49039MaturityPoCVerified exploit

This repository provides a proof-of-concept (POC) exploit for CVE-2024-49039, a vulnerability in the WPTaskScheduler.dll component of Windows Task Scheduler (present since Windows 10 1507). The exploit leverages the Task Scheduler's RPC interface to create persistent scheduled tasks, bypassing sandbox and integrity restrictions (such as those imposed on Chrome renderer or AppContainer processes). The main entry point is 'main.cpp', which demonstrates both task creation (for persistence) and task enumeration/deletion via RPC calls. The exploit can be compiled as an executable or DLL (for reflective injection), and is tested on multiple Windows versions (Windows 10, 11, Server 2016). The codebase includes custom IDL definitions for the RPC interface, and uses the 'ncalrpc' protocol for local RPC communication. The exploit does not provide a weaponized payload but demonstrates the ability to persist and escalate privileges by abusing the vulnerable interface. No external network endpoints are used; all actions are performed locally via RPC and file system interactions.

je5442804Disclosed Nov 19, 2024cppclocal

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationWindows 10 1507operating_system

Microsoft CorporationWindows 10 1607operating_system

Microsoft CorporationWindows 10 1809operating_system

Microsoft CorporationWindows 10 21h2operating_system

Microsoft CorporationWindows 10 22h2operating_system

Microsoft CorporationWindows 11 22h2operating_system

Microsoft CorporationWindows 11 23h2operating_system

Microsoft CorporationWindows 11 24h2operating_system

Microsoft CorporationWindows Server 2016operating_system

Microsoft CorporationWindows Server 2019operating_system

Microsoft CorporationWindows Server 2022operating_system

Microsoft CorporationWindows Server 2022 23h2operating_system

Microsoft CorporationWindows Server 2025operating_system

Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

27 SOURCESView more in app

greynoise blogNews

Feb 2, 2026

The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates

A Microsoft Windows Task Scheduler privilege escalation vulnerability that CISA KEV’s knownRansomwareCampaignUse field flipped from Unknown to Known (indicating evidence of ransomware campaign use).

picus security blogNews

Oct 2, 2025

RomCom Threat Actor Evolution (2023-2025)

A Windows privilege-escalation vulnerability reportedly chained with a Firefox bug to complete compromise and deliver a RomCom backdoor.

scworldNews

Aug 12, 2025

WinRAR zero-day exploited by RomCom threat group

A Windows Task Scheduler vulnerability used as part of an exploit chain by RomCom (details not expanded in the provided content).

Aug 11, 2025

Russia's RomCom among those exploiting a WinRAR 0-day in highly-targeted attacks

A vulnerability leading to arbitrary code execution in Firefox, Thunderbird, and the Tor Browser, exploited by RomCom.

+19 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence4

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2024-49039

NVD

nvd.nist.gov/vuln/detail/CVE-2024-49039

MITRE CWE · CWE-269

cwe.mitre.org

Patch

msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49039

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-49039