CVE-2024-21338 Overview
CVE-2024-21338 is an elevation of privilege vulnerability in the Windows kernel, specifically in the appid.sys AppLocker driver. The flaw allows an attacker with low-privileged local code execution to escalate to SYSTEM-level privileges by abusing an exposed IOCTL handler. Microsoft confirmed the vulnerability affects supported versions of Windows 10, Windows 11, and Windows Server. CISA added the issue to its Known Exploited Vulnerabilities catalog after researchers observed the Lazarus group weaponizing it as an admin-to-kernel zero-day to deploy the FudModule rootkit. The EPSS score for this issue is 79.142% (99.08 percentile), reflecting active exploitation interest.
Critical Impact
Successful exploitation grants kernel-level code execution, enabling attackers to disable security products, tamper with kernel objects, and achieve full host compromise.
Affected Products
- Microsoft Windows 10 (1809, 21H2, 22H2)
- Microsoft Windows 11 (21H2, 22H2, 23H2)
- Microsoft Windows Server 2019, Server 2022, and Server 2022 23H2
Discovery Timeline
- 2024-02-13 - CVE-2024-21338 published to NVD
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2024-21338
Vulnerability Analysis
The vulnerability resides in the Windows AppLocker driver appid.sys, which exposes an IOCTL interface to user mode. One of its handlers accepts attacker-controlled input and uses it to compute a function pointer inside the driver without sufficient validation. An attacker holding administrative privileges in user mode can craft an IOCTL request that causes the driver to invoke an attacker-chosen routine in kernel context. This crosses the admin-to-kernel boundary, which Microsoft treats as a security boundary in practice when used to load unsigned code or disable endpoint defenses. Public reporting from Avast attributes in-the-wild exploitation to the Lazarus group, which used the bug to install the FudModule rootkit and disable security telemetry. The CWE classification is [CWE-822] (Untrusted Pointer Dereference).
Root Cause
The root cause is improper validation of an index or pointer value passed through an IOCTL to appid.sys. The driver dereferences attacker-influenced data as a trusted function pointer, allowing redirection of kernel control flow to an arbitrary address.
Attack Vector
Exploitation is local and requires an authenticated user, typically with administrative rights on the host. The attacker opens a handle to the AppLocker driver device, sends a crafted IOCTL, and triggers kernel-mode execution under the System process context. Combined with bring-your-own-vulnerable-driver tradecraft, this provides a stealth path to full kernel compromise.
No verified proof-of-concept code is reproduced here. Technical write-ups are available in the Avast research on Lazarus and FudModule and Exploit-DB entry 52275.
Detection Methods for CVE-2024-21338
Indicators of Compromise
- Unexpected user-mode processes opening handles to the AppLocker device object \\.\AppId or \Device\AppID outside of normal Microsoft-signed services.
- Loading of the FudModule rootkit or other unsigned kernel modules shortly after suspicious IOCTL traffic to appid.sys.
- Tampering with or unloading of endpoint protection drivers immediately following local privilege escalation.
Detection Strategies
- Hunt for processes other than svchost.exe hosting the AppID service that issue DeviceIoControl calls against the AppLocker driver.
- Correlate kernel image loads with prior IOCTL activity from non-system binaries to identify admin-to-kernel transitions.
- Alert on creation of new services, scheduled tasks, or driver loads originating from processes that recently elevated to NT AUTHORITY\SYSTEM.
Monitoring Recommendations
- Enable Windows Defender Application Control and audit driver load events (Event ID 6, kernel-mode driver loaded).
- Forward Sysmon Event IDs 1, 6, and 11 to a centralized analytics platform and baseline normal AppLocker driver consumers.
- Monitor for CISA KEV-aligned activity given the confirmed in-the-wild exploitation status.
How to Mitigate CVE-2024-21338
Immediate Actions Required
- Apply the February 2024 Microsoft security updates that patch appid.sys on all affected Windows 10, Windows 11, and Windows Server systems.
- Prioritize patching on internet-exposed servers, jump hosts, and developer workstations where local admin access is broadly available.
- Audit endpoints for prior signs of FudModule or other kernel rootkit activity before declaring remediation complete.
Patch Information
Microsoft addressed the issue in the February 13, 2024 Patch Tuesday release. Refer to the Microsoft CVE-2024-21338 advisory for KB numbers per Windows build, and confirm patch installation via wmic qfe list or the Update History UI.
Workarounds
- No supported workaround exists; Microsoft requires installation of the security update to remediate the flaw.
- Restrict local administrative accounts and enforce least privilege to reduce the pool of users able to trigger the IOCTL path.
- Enable hypervisor-protected code integrity (HVCI) and a vulnerable driver blocklist to raise the cost of post-exploitation kernel tampering.
# Verify the February 2024 cumulative update is installed
Get-HotFix | Where-Object { $_.InstalledOn -ge (Get-Date '2024-02-13') } | Sort-Object InstalledOn
# Confirm the patched appid.sys version is loaded
Get-Item C:\Windows\System32\drivers\appid.sys | Select-Object Name, VersionInfo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
