CVE-2024-38063: Zero-click vulnerability found in all versions of Windows
Microsoft has alerted users to a critical TCP/IP vulnerability that enables remote code execution (RCE) on all Windows systems with the IPv6 protocol enabled by default.
The vulnerability, identified as CVE-2024-38063 (CVSS score: 9.8), is linked to an integer underflow and can be exploited by attackers to overflow buffers and execute arbitrary code on vulnerable systems, including Windows 10, Windows 11, and Windows Server. The flaw was discovered by a security researcher from Kunlun Lab, known by the alias XiaoWei.
XiaoWei emphasized the gravity of the threat and stated that he would withhold additional details for the time being. The researcher also noted that disabling IPv6 via the local Windows firewall would not prevent exploitation of the vulnerability, as the flaw is triggered before the firewall processes the packets.
In its official advisory, Microsoft explained that attackers could remotely exploit the flaw by repeatedly sending specially crafted IPv6 packets. The vulnerability is characterized by its low exploitation complexity, which increases the likelihood of its use in attacks. The company highlighted that similar vulnerabilities have been targeted in past attacks, making this flaw particularly appealing to malicious actors.
For those unable to immediately apply the latest security updates, Microsoft recommends disabling IPv6 to mitigate the risk of attack. However, the company warns that disabling IPv6 may cause disruptions in the functionality of certain Windows components, as the protocol has been a mandatory part of the operating system since Windows Vista and Windows Server 2008.
Trend Micro has deemed CVE-2024-38063 one of the most severe vulnerabilities patched by Microsoft in the current security update. The company underscored that the vulnerability is classified as “wormable,” meaning it could propagate between systems without user intervention, much like a computer worm. Trend Micro also reminded users that IPv6 is enabled by default on nearly all devices, complicating efforts to prevent attacks.
