The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-29210

CVE-2024-29210: Phish Alert Button Privilege Escalation

CVE-2024-29210 is a local privilege escalation vulnerability in Phish Alert Button for Outlook that allows regular users to gain administrative privileges. This post covers technical details, affected versions, and mitigation steps.

Updated: January 22, 2026

CVE-2024-29210 Overview

A local privilege escalation (LPE) vulnerability has been identified in Phish Alert Button for Outlook (PAB), specifically within its configuration management functionalities. This vulnerability allows a regular user to modify the application's configuration file to redirect update checks to an arbitrary server, which can then be exploited in conjunction with CVE-2024-29209 to execute arbitrary code with elevated privileges.

The issue stems from improper permission settings on the application's configuration file, which is stored in a common directory accessible to all users. This file includes critical parameters, such as the update server URL. By default, the application does not enforce adequate access controls on this file, allowing non-privileged users to modify it without administrative consent.

Critical Impact

This vulnerability can lead to a regular user executing code with administrative privileges, resulting in unauthorized access to sensitive data, installation of additional malware, and full takeover of the affected system.

Affected Products

  • Phish Alert Button (PAB) for Outlook versions 1.10.0-1.10.11
  • Second Chance Client versions 2.0.0-2.0.9
  • PIQ Client versions 1.0.0-1.0.15

Discovery Timeline

  • Discovery - Vulnerability discovered by Ceri Coburn at Pen Test Partners
  • 2024-05-07 - CVE CVE-2024-29210 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-29210

Vulnerability Analysis

This local privilege escalation vulnerability (CWE-269: Improper Privilege Management) arises from insecure file permissions on the PAB configuration file. The configuration file resides in a common directory accessible to all users on the system, allowing any authenticated local user to modify its contents without requiring administrative privileges.

The attack scenario requires local access to exploit. An attacker with regular user access can alter the update server URL specified in the configuration file to point to a malicious server. When the application performs its next update check, it will contact the attacker-controlled server. If the system is also vulnerable to CVE-2024-29209, the attacker can deliver a malicious update package that, when executed, grants them elevated privileges.

Root Cause

The root cause of this vulnerability is improper permission settings on the application's configuration file. The configuration file is stored in a common directory accessible to all users and includes critical parameters such as the update server URL. By default, the application does not enforce adequate access controls on this file, allowing non-privileged users to modify it without administrative consent.

This represents a classic insecure permissions vulnerability where sensitive configuration data is not adequately protected from modification by low-privileged users.

Attack Vector

An attacker with regular user access can exploit this vulnerability through the following attack chain:

  1. Identify the PAB configuration file in the common directory
  2. Modify the update server URL parameter to point to an attacker-controlled server
  3. Wait for the application to perform its next scheduled update check
  4. Serve a malicious update package from the attacker-controlled server
  5. If combined with CVE-2024-29209, execute arbitrary code with elevated privileges

The vulnerability requires local access and user interaction (the application must perform an update check), but does not require any special privileges to exploit initially.

Detection Methods for CVE-2024-29210

Indicators of Compromise

  • Unexpected modifications to the PAB configuration file, particularly the update server URL parameter
  • Network connections from PAB processes to unknown or suspicious external servers
  • Unusual process execution chains originating from PAB update processes
  • File system audit events showing non-administrator users modifying PAB configuration files

Detection Strategies

  • Monitor file integrity of the PAB configuration file for unauthorized changes
  • Implement network monitoring to detect connections to unauthorized update servers
  • Enable Windows Security auditing for file access events on PAB installation directories
  • Deploy endpoint detection to identify privilege escalation attempts following configuration modifications

Monitoring Recommendations

  • Configure file integrity monitoring (FIM) on PAB configuration directories
  • Establish baseline network behavior for PAB update communications and alert on deviations
  • Monitor for process creation events where PAB update processes spawn unexpected child processes
  • Review Windows Event Logs for security events related to file permission changes

How to Mitigate CVE-2024-29210

Immediate Actions Required

  • Verify that the latest version of Phish Alert Button is installed across all systems
  • Manually audit configuration file permissions to ensure only administrators have write access
  • Review network logs for any connections to unauthorized update servers
  • Check for indicators of compromise on systems running affected versions

Patch Information

KnowBe4 has released a patch that corrects the permission settings on the configuration file to prevent unauthorized modifications. Automated updates will be pushed to address this issue. Users of affected versions should verify the latest version is applied and, if not, apply the latest updates provided by KnowBe4.

For detailed patch information, refer to the KnowBe4 Security Advisory.

Workarounds

  • Manually set the correct permissions on the configuration file to restrict write access to administrators only
  • Use Windows Group Policy to enforce file permissions on the PAB configuration directory
  • Implement application whitelisting to prevent unauthorized executables from running via the update mechanism
  • Consider network-level controls to restrict PAB update communications to known legitimate servers only
bash
# Windows PowerShell - Restrict configuration file permissions to administrators only
# Replace <path_to_config_file> with the actual configuration file path
icacls "<path_to_config_file>" /inheritance:r /grant:r "BUILTIN\Administrators:(F)" /grant:r "NT AUTHORITY\SYSTEM:(F)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePrivilege Escalation
  • Vendor/TechPhish Alert Button
  • SeverityLOW
  • CVSS Score2.8
  • EPSS Probability0.04%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityLow
  • AvailabilityNone
  • CWE References
  • CWE-269
  • Technical References
  • KnowBe4 Security Advisory
  • Latest CVEs
  • CVE-2025-70797: LimeSurvey XSS Vulnerability
  • CVE-2025-30650: Juniper Junos OS Auth Bypass Vulnerability
  • CVE-2026-35471: Goshs Path Traversal Vulnerability
  • CVE-2026-35393: Goshs Path Traversal Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English