CVE-2024-26199 Overview
CVE-2024-26199 is an elevation of privilege vulnerability affecting Microsoft Office, specifically Microsoft 365 Apps Enterprise (x64). The flaw allows a local authenticated attacker to elevate privileges to SYSTEM on a vulnerable host. Microsoft disclosed the issue on March 12, 2024, as part of its monthly security update cycle.
The vulnerability is associated with CWE-59: Improper Link Resolution Before File Access (Link Following), indicating that the Office installer or a related service mishandles file system links during privileged operations. Successful exploitation grants full confidentiality, integrity, and availability impact on the target system.
Critical Impact
Successful exploitation grants SYSTEM-level privileges on hosts running affected Microsoft 365 Apps installations, enabling full host compromise from a low-privilege user account.
Affected Products
- Microsoft 365 Apps for Enterprise (x64)
- Microsoft Office installations using the affected component
- Windows endpoints running vulnerable Microsoft 365 Apps builds
Discovery Timeline
- 2024-03-12 - Microsoft publishes advisory and security patch for CVE-2024-26199
- 2024-03-12 - CVE-2024-26199 published to NVD
- 2024-12-06 - Last updated in NVD database
Technical Details for CVE-2024-26199
Vulnerability Analysis
The vulnerability is a local privilege escalation flaw within Microsoft Office. Any authenticated user can execute a program elevated to SYSTEM privileges, according to the Microsoft Security Response Center advisory. The attack requires local access and low privileges, with no user interaction beyond the attacker's own actions.
The weakness is categorized under [CWE-59], which covers link following issues where a privileged process accesses files through symbolic links, hard links, or junctions without proper validation. An attacker who controls a file path consumed by a privileged Office component can redirect file operations to attacker-chosen locations.
Root Cause
The root cause stems from improper link resolution before file access in a privileged Office process or service. When the affected component performs file operations under elevated context, it does not adequately verify whether path components are reparse points or symbolic links. This allows redirection of writes or reads to sensitive locations the unprivileged user cannot otherwise access.
Attack Vector
An attacker requires local, authenticated access to the target host. The attacker plants a symbolic link, junction, or hard link in a directory writable by the low-privileged user. When the privileged Office component processes the controlled path, it follows the link and performs operations as SYSTEM. The attacker leverages this to overwrite protected files, place malicious binaries in privileged locations, or otherwise execute code as SYSTEM.
No exploit code is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Microsoft CVE-2024-26199 Advisory for vendor technical details.
Detection Methods for CVE-2024-26199
Indicators of Compromise
- Creation of symbolic links, junctions, or hard links by low-privileged users in directories accessed by Office update or repair processes.
- Unexpected file writes to %ProgramFiles%\Microsoft Office, %ProgramData%, or System32 directories originating from Office helper processes.
- New service installations, scheduled tasks, or binaries appearing immediately after Office repair, click-to-run, or installer activity.
Detection Strategies
- Monitor process creation events where Office Click-to-Run (OfficeClickToRun.exe) or installer processes spawn child processes running as SYSTEM from non-standard paths.
- Audit file system operations performed by Office processes that traverse user-writable directories such as %TEMP% or %LOCALAPPDATA%.
- Apply EDR behavioral rules that flag link-following abuse by privileged processes, a common pattern for [CWE-59] exploitation.
Monitoring Recommendations
- Enable Windows Sysmon Event ID 11 (file create) and Event ID 1 (process create) for Office binaries and review for anomalies.
- Track Microsoft 365 Apps build numbers across the fleet and flag endpoints running builds released before the March 12, 2024 security update.
- Correlate local privilege escalation telemetry with subsequent persistence, credential access, or lateral movement events.
How to Mitigate CVE-2024-26199
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft CVE-2024-26199 Advisory to all affected Microsoft 365 Apps installations.
- Inventory endpoints running Microsoft 365 Apps Enterprise (x64) and verify the click-to-run channel has received the March 2024 update.
- Restrict local logon rights on multi-user systems where Microsoft Office is installed to reduce the local attack surface.
Patch Information
Microsoft released a security update on March 12, 2024 addressing CVE-2024-26199. Customers using Microsoft 365 Apps with automatic updates enabled receive the fix through the standard click-to-run update channel. Administrators managing deferred update channels should confirm the patched build is deployed across all endpoints.
Workarounds
- No vendor-supplied workaround is documented; patching is the supported remediation path.
- Limit interactive logon to trusted users on systems where Office is installed until the patch is applied.
- Enforce least privilege and remove unnecessary local administrative accounts to reduce post-exploitation impact.
# Verify Microsoft 365 Apps build version on Windows endpoints
reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /v VersionToReport
# Trigger an immediate update check via the Click-to-Run client
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /update user
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
