Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

IdentifiersCVE-2024-38193CWE-269

CVE-2024-38193 is a Microsoft Windows elevation-of-privilege vulnerability in the Ancillary Function Driver (AFD) for WinSock. The provided sources identify it as an actively exploited zero-day patched in Microsoft’s August 2024 security updates and assign it a CVSS score of 7.8. The available content does not include root-cause details such as the specific vulnerable function, memory corruption class, or exact exploitation primitive. Reporting in the supplied material indicates the flaw has been used in the wild and has been associated with deployment of the FudModule rootkit by North Korean threat activity, including reporting that Diamond Sleet exploited CVE-2024-38193 in June 2024.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in local elevation of privilege on Windows. In practice, this would allow an attacker who already has code execution in a lower-privileged context to elevate privileges on the host, likely to SYSTEM or kernel-equivalent execution depending on the exploit path, enabling full compromise of the affected machine. The supplied reporting also notes that EoP vulnerabilities such as this are commonly chained with initial code-execution bugs and may be used to facilitate post-exploitation objectives such as rootkit deployment, defense evasion, persistence, credential theft, and ransomware operations.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce risk by limiting opportunities for attackers to obtain initial code execution on endpoints, since this is an elevation-of-privilege issue rather than a standalone remote entry point. Prioritize hardening of user workstations and servers, enforce least privilege, restrict execution of untrusted code, monitor for suspicious kernel/driver-level behavior, and use EDR/Defender detections and threat hunting for exploitation artifacts and FudModule-related activity where relevant. These measures are compensating controls only and do not replace patching.

Remediation

Patch, then assume compromise.

Apply Microsoft’s August 2024 security updates for all affected Windows systems. Because the vulnerability is reported as actively exploited in the wild and included in CISA’s Known Exploited Vulnerabilities catalog, patching should be prioritized on exposed and high-value systems. Validate that the relevant cumulative/security update for the installed Windows version has been successfully deployed across the fleet.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 1 / 2 TOTALView more in app
CVE-2024-38193-NephsterMaturityPoCVerified exploit

This repository contains a local privilege escalation exploit for CVE-2024-38193, targeting the Windows AFD (Ancillary Function Driver) kernel component. The exploit is implemented in C++ and consists of two main code files: 'poc.cpp' and 'poc.h'. The code interacts directly with Windows kernel objects and system calls, including custom usage of NtCreateFile, NtDeviceIoControlFile, and other NT APIs. The exploit crafts and manipulates AFD endpoints (\\Device\\Afd\\Endpoint) and named pipes to achieve arbitrary kernel read/write primitives. It then leverages these primitives to steal the SYSTEM process token, resulting in privilege escalation. The exploit is operational and tested on Windows 11 Pro 23H2 (build 22631.3447). No network or remote attack vector is present; the exploit must be run locally. The repository includes Visual Studio project files and build artifacts, but the core exploit logic resides in the C++ source files.

killvxkDisclosed Dec 3, 2024cpphlocal
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows 10 1507operating_system
Microsoft CorporationWindows 10 1607operating_system
Microsoft CorporationWindows 10 1809operating_system
Microsoft CorporationWindows 10 21h2operating_system
Microsoft CorporationWindows 10 22h2operating_system
Microsoft CorporationWindows 11 21h2operating_system
Microsoft CorporationWindows 11 22h2operating_system
Microsoft CorporationWindows 11 23h2operating_system
Microsoft CorporationWindows 11 24h2operating_system
Microsoft CorporationWindows Server 2008operating_system
Microsoft CorporationWindows Server 2008 R2operating_system
Microsoft CorporationWindows Server 2008 Sp2operating_system
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Server 2012 R2operating_system
Microsoft CorporationWindows Server 2016operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system
Microsoft CorporationWindows Server 2022 23h2operating_system
Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
microsoft security blogNews
Aug 30, 2024
North Korean threat actor Citrine Sleet exploiting Chromium zero-day

A zero-day vulnerability in the AFD.sys driver in Windows, exploited by Diamond Sleet with the FudModule rootkit to escalate privileges from standard user to kernel access.

Read more
security online infoNews
Aug 20, 2024
Lazarus Group Exploits Microsoft Zero-Days CVE-2024-38193, Patch Urgently

Unknown

Read more
sophos threat researchNews
Aug 15, 2024
August Patch Tuesday goes big – Sophos News

An elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock, actively exploited in the wild.

Read more
the hacker newsNews
Aug 14, 2024
Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Days

Windows Ancillary Function Driver for WinSock elevation-of-privilege vulnerability; listed among actively exploited zero-days fixed by Microsoft.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-38193
NVD
nvd.nist.gov/vuln/detail/CVE-2024-38193
MITRE CWE · CWE-269
cwe.mitre.org
Patch
msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38193
Exploit
exploit-db.com/exploits/52284
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38193