A remote code execution vulnerability in Microsoft’s .NET Framework is being exploited in the wild, the US’s CISA has confirmed. CVE-2024-29059 was first reported to Redmond in December 2023. It first denied it needed a fix, but then patched it in early 2024, without initially allocating a CVE.
“An attacker who successfully exploited this vulnerability could obtain the ObjRef URI which could lead to remote code execution,” Microsoft’s advisory said, describing the attack vector as “network”, with no user interaction needed. Whilst the .NET vulnerability is classed as an “information disclosure” one, per the advisory’s details, it leads to RCE.
See also: Ivanti zero day exploited in the wild - attacks started mid-December
In February 2024, CODE WHITE, which first reported the bug, published technical details and an exploit for leaking internal object URIs, which can be used to perform .NET Remoting attacks. It noted in its blog at the time that “Although already considered deprecated in 2009, .NET Remoting is still around. Even where developers might not expect it such as in ASP.NET web applications, both on-premises and on Azure…”
As The Stack published, Microsoft’s advisory had not been updated to reflect exploitation. Neither CISA nor Microsoft has published any information on how widespread exploitation of the vulnerability is or further details, but do the right thing and assess for exposure, patch up.
Have more details on in-the-wild exploitation of CVE-2024-29059? Get in touch.
