Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Medium

Windows Secure Kernel Mode Elevation of Privilege Vulnerability

IdentifiersCVE-2024-21302CWE-284· Improper Access Control

CVE-2024-21302 is a Windows Secure Kernel Mode elevation of privilege vulnerability affecting Windows systems that support Virtualization-Based Security (VBS), including Windows 10 and later, Windows Server 2016 and later, and certain Azure VM SKUs. The flaw allows an attacker who already has administrator privileges on the target to replace current Windows system files with older, vulnerable versions. By rolling back VBS-related binaries and other protected components, the attacker can reintroduce previously patched vulnerabilities into an otherwise updated system. Microsoft’s description and the supporting reporting indicate this is fundamentally a rollback/downgrade weakness in the protection of VBS-related system components, enabling circumvention of some VBS protections and exposure of data protected by VBS.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker with local administrative control to defeat part of the security value of a fully patched Windows installation by restoring outdated vulnerable binaries. This can re-enable previously mitigated vulnerabilities, weaken or bypass VBS protections, and expose secrets or data protected by VBS. Depending on the downgraded component and follow-on exploit path, this can facilitate further privilege escalation within VBS-protected contexts, compromise of protected security features such as Credential Guard-related protections, and access to sensitive material that would otherwise remain isolated from a compromised normal kernel environment.

Mitigation

If you can’t patch tonight, do this now.

If immediate full remediation is not yet deployed, implement Microsoft’s published rollback-blocking mitigations from KB5042562. The primary mitigations described in the content are: a Microsoft-signed CI policy enabled by default at boot that prevents rollback of VBS system files for that boot session, and an optional administrator-deployed revocation policy, SkuSiPolicy.p7b, that blocks vulnerable VBS-related binaries from loading across boot sessions. Before deploying SkuSiPolicy.p7b, validate operational readiness because Microsoft warns of significant risks, including boot failures, boot loops, rollback limitations, and the need to update WinRE, external boot media, and PXE boot images to compatible versions. On Windows 11 24H2, Windows Server 2022, and Windows Server 23H2, additional DRTM-based protections are enabled by default and should be retained.

Remediation

Patch, then assume compromise.

Apply Microsoft’s mitigations and servicing guidance for CVE-2024-21302, specifically KB5042562, and ensure systems are updated to supported Windows releases that include Microsoft’s protections. Microsoft states it introduced mitigations including a default-enabled Microsoft-signed Code Integrity policy loaded at boot, and also provided the optional revocation policy SkuSiPolicy.p7b to block vulnerable VBS-related binaries from loading. Follow Microsoft’s deployment guidance carefully, because the mitigation policy and Windows components must come from the same release level. Microsoft later completed mitigations across supported Windows 10 and Windows 11 versions, including Windows 10 1507, 1607, 1809, Windows Server 2016, and later supported platforms. Where applicable, also apply related guidance referenced by Microsoft, including KB5025885 and required Safe OS / WinRE / PXE image updates before enforcing the UEFI-bound revocation policy.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows 10 1507operating_system
Microsoft CorporationWindows 10 1607operating_system
Microsoft CorporationWindows 10 1809operating_system
Microsoft CorporationWindows 10 21h2operating_system
Microsoft CorporationWindows 10 22h2operating_system
Microsoft CorporationWindows 11 21h2operating_system
Microsoft CorporationWindows 11 22h2operating_system
Microsoft CorporationWindows 11 23h2operating_system
Microsoft CorporationWindows 11 24h2operating_system
Microsoft CorporationWindows Server 2016operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system
Microsoft CorporationWindows Server 2022 23h2operating_system
Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
microsoft supportNews
Jan 1, 2026
Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates - Microsoft Support

A Windows Secure Kernel Mode elevation of privilege vulnerability involving rollback of VBS-related system binaries to older vulnerable versions, potentially allowing an administrator-level attacker to circumvent VBS protections and exfiltrate VBS-protected data.

Read more
safebreach blogNews
Dec 19, 2025
Downgrade Attacks Using Windows Updates | SafeBreach

One of two CVEs Microsoft assigned in response to the SafeBreach Windows Downdate research covering downgrade-related Windows vulnerabilities.

Read more
outpost24 blogNews
Aug 20, 2024
Threat Context monthly: Executive intelligence briefing for August 2024

A critical vulnerability in Windows update architecture and Virtualization-Based Security (VBS) that allows attackers to downgrade OS components, bypass security features, and reintroduce previously patched vulnerabilities, potentially leading to privilege escalation and system compromise.

Read more
sophos threat researchNews
Aug 15, 2024
August Patch Tuesday goes big – Sophos News

An elevation of privilege vulnerability in Windows Secure Kernel Mode, with mitigations published but a full fix still in progress.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-21302
NVD
nvd.nist.gov/vuln/detail/CVE-2024-21302
MITRE CWE · CWE-284
Improper Access Control
Patch
msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21302