CVE-2024-26215: Windows Server 2008 DHCP DoS Vulnerability

CVE-2024-26215 Overview

CVE-2024-26215 is a denial-of-service vulnerability in the Microsoft Windows Dynamic Host Configuration Protocol (DHCP) Server Service. An unauthenticated remote attacker can send crafted network traffic to a vulnerable DHCP server and disrupt address allocation for clients. The flaw is classified under [CWE-400] (Uncontrolled Resource Consumption) and carries a CVSS score of 7.5. The vulnerability affects supported releases of Windows Server from 2008 through 2022 23H2. Microsoft addressed the issue in its April 2024 security update cycle.

Critical Impact

A remote, unauthenticated attacker can take the DHCP Server Service offline, preventing clients from obtaining or renewing IP leases and disrupting network connectivity across the affected environment.

Affected Products

• Microsoft Windows Server 2008 SP2 and Server 2008 R2 SP1
• Microsoft Windows Server 2012 and Server 2012 R2
• Microsoft Windows Server 2016, 2019, 2022, and 2022 23H2

Discovery Timeline

• 2024-04-09 - CVE-2024-26215 published to NVD
• 2024-04-09 - Microsoft releases security update addressing the issue
• 2025-01-08 - Last updated in NVD database

Technical Details for CVE-2024-26215

Vulnerability Analysis

The vulnerability resides in the Windows DHCP Server Service, which assigns IP addresses and network configuration parameters to clients over UDP ports 67 and 68. An attacker who can reach the DHCP service over the network can trigger uncontrolled resource consumption that renders the service unavailable. The flaw impacts availability only. Confidentiality and integrity are not affected, according to the CVSS vector. Exploitation requires no authentication, no user interaction, and low attack complexity, which broadens the pool of potential attackers on any flat or routed network segment that exposes DHCP.

Root Cause

The root cause is mapped to [CWE-400] Uncontrolled Resource Consumption. Microsoft has not published low-level technical details, but the classification indicates that the DHCP Server Service fails to properly bound resources such as memory, CPU, or internal data structures when processing certain inbound requests. Repeated or malformed traffic can exhaust these resources and crash or hang the service.

Attack Vector

The attack vector is network-based. An adversary sends crafted DHCP packets to a vulnerable server reachable on the local subnet or via a DHCP relay. Because DHCP traffic is broadcast and relayed across enterprise networks, exposure is not limited to attackers on the same VLAN. Microsoft has not reported in-the-wild exploitation, and no public proof-of-concept is referenced in the advisory. The EPSS percentile of 91.98 indicates higher-than-average modeled exploitation likelihood, so defenders should treat patching as time-sensitive.

No verified public exploit code is available. See the Microsoft Security Update Guide for CVE-2024-26215 for vendor technical details.

Detection Methods for CVE-2024-26215

Indicators of Compromise

• Unexpected restarts, hangs, or crashes of the DHCPServer service in the Windows Service Control Manager.
• Spikes in inbound UDP traffic to port 67 from a single source or small set of sources.
• Sudden surge of failed lease assignments and clients falling back to APIPA (169.254.0.0/16) addresses.
• DHCP server event log entries indicating service termination or resource allocation failures.

Detection Strategies

• Monitor Windows Event Log channels Microsoft-Windows-DHCP-Server/Operational and System for DHCPServer service stop, crash, or restart events.
• Baseline normal DHCP request volumes per source and alert on anomalies that exceed typical client behavior.
• Correlate DHCP service failures with concurrent inbound UDP/67 traffic patterns to identify externally driven outages versus operational faults.

Monitoring Recommendations

• Forward DHCP server event logs and network flow data to a centralized analytics platform for retention and correlation.
• Track service health metrics for DHCPServer and alert when uptime drops or CPU and memory consumption spike unexpectedly.
• Review patch compliance reports for Windows Server hosts running the DHCP role to confirm coverage of the April 2024 security update.

How to Mitigate CVE-2024-26215

Immediate Actions Required

• Apply the April 2024 Microsoft security update to all Windows Server systems running the DHCP Server role.
• Inventory every DHCP server in the environment, including secondary and failover partners, and validate patch status.
• Restrict network reachability of UDP/67 so that only trusted client subnets and authorized DHCP relays can reach the server.

Patch Information

Microsoft published the official fix on April 9, 2024 through the Microsoft Security Update Guide for CVE-2024-26215. Updates are available for Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, and 2022 23H2 through Windows Update, WSUS, and the Microsoft Update Catalog. Reboot affected servers after installation to ensure the DHCP Server Service loads the patched binaries.

Workarounds

• If immediate patching is not possible, place DHCP servers behind network ACLs that limit UDP/67 traffic to known client VLANs and relay agents.
• Configure DHCP failover or split-scope partners so a single service crash does not eliminate lease availability for clients.
• Monitor and rate-limit DHCP traffic at edge switches and firewalls to reduce the impact of high-volume request floods.

# Verify the DHCP Server Service status and recent stop events on Windows Server
Get-Service -Name DHCPServer | Format-List Status, StartType
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Service Control Manager'} -MaxEvents 200 |
  Where-Object { $_.Message -match 'DHCPServer' }

# Confirm the April 2024 cumulative update is installed
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10