The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability to its Known Exploited Vulnerabilities catalog, warning that US organizations must update their systems before January 6, 2025. The vulnerability, identified as CVE-2024-35250, affects all versions of Windows 10 and Windows Server 2008 onwards.
This “Windows Kernel-Mode Driver Elevation of Privilege” vulnerability allows attackers to gain elevated privileges, potentially leading to system access. Although Microsoft patched the issue in June 2024, it has already been exploited in the wild, prompting CISA’s addition to its catalog.
The vulnerability is considered low-risk due to its exploitation complexity rating, but CISA emphasizes the importance of timely remediation to prevent cyberattacks. Individuals and non-federal organizations are urged to prioritize their vulnerability management practices, even if not bound by federal regulations.
Fortunately, a patch was released as part of Microsoft’s Patch Tuesday security round-up in June 2024. However, those who have not kept up with security updates may need to apply the fix now. This is especially relevant for organizations using Windows versions affected by the vulnerability.
Source: https://www.forbes.com/sites/daveywinder/2024/12/17/new-microsoft-windows-security-deadline-cisa-says-update-before-jan-6