CVE-2024-30078 Overview
CVE-2024-30078 is a remote code execution vulnerability in the Microsoft Windows Wi-Fi driver. An unauthenticated attacker within wireless range can send a crafted network packet to a target adjacent on the same Wi-Fi network and execute arbitrary code without user interaction. The flaw is classified under [CWE-20] Improper Input Validation and affects nearly all supported Windows client and Windows Server releases. Microsoft published the advisory on June 11, 2024, and the EPSS exploitation probability sits in the 96th percentile, indicating elevated attacker interest relative to other CVEs.
Critical Impact
An attacker within Wi-Fi range can execute arbitrary code on vulnerable Windows hosts without authentication or user interaction, enabling lateral movement across enterprise wireless networks.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (21H2, 22H2, 23H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, and Server 2022 23H2
Discovery Timeline
- 2024-06-11 - CVE-2024-30078 published to NVD
- 2024-06-11 - Microsoft releases security patch via the Microsoft CVE-2024-30078 Advisory
- 2025-09-15 - Last updated in NVD database
Technical Details for CVE-2024-30078
Vulnerability Analysis
The vulnerability resides in the Windows Wi-Fi driver stack responsible for parsing 802.11 wireless frames. The driver fails to properly validate input fields within incoming wireless packets before processing them in kernel context. An attacker on an adjacent network can send a malformed frame that triggers memory corruption in the driver, leading to arbitrary code execution. Because the issue is reachable over the radio layer, exploitation does not require the target to associate with a malicious access point or accept any prompt. The vulnerability is reachable before higher-layer authentication occurs, which expands the attack surface in any environment where Wi-Fi is enabled.
Root Cause
The root cause is improper input validation [CWE-20] in the Wi-Fi driver's frame handling routines. Fields within a crafted 802.11 frame are processed without enforcing length, type, or boundary constraints. This permits an attacker-controlled value to corrupt driver memory structures and redirect execution flow.
Attack Vector
Exploitation requires adjacency on the same wireless network segment, typically within physical Wi-Fi range of the target. The attacker transmits a specially crafted wireless packet to a vulnerable host with Wi-Fi enabled. No credentials, user interaction, or prior compromise are required. Successful exploitation yields code execution in the context of the driver, generally at SYSTEM-level privileges. Public proof-of-concept code is not available at the time of writing, but the high EPSS percentile reflects significant attacker interest. See the Microsoft CVE-2024-30078 Advisory for vendor-confirmed technical details.
Detection Methods for CVE-2024-30078
Indicators of Compromise
- Unexplained crashes, bug checks, or restarts of Native Wifi driver components such as nwifi.sys on patched or unpatched hosts.
- Anomalous kernel-mode process activity or new SYSTEM-level child processes spawned shortly after wireless connectivity events.
- Unexpected wireless adapter reset events recorded in the Windows Event Log around the time of suspicious activity.
Detection Strategies
- Correlate Windows Error Reporting and Microsoft-Windows-WLAN-AutoConfig event logs to identify malformed frame indicators or driver faults.
- Monitor endpoint telemetry for kernel-level memory corruption signals and unsigned code execution following Wi-Fi association events.
- Use community-published detection tooling such as the Vicarius Detection Script for CVE-2024-30078 to identify unpatched hosts at scale.
Monitoring Recommendations
- Inventory all Windows endpoints and servers with active Wi-Fi adapters, including domain controllers and infrastructure hosts that may have Wi-Fi enabled inadvertently.
- Track Microsoft patch compliance for the June 2024 cumulative update across all listed Windows builds.
- Alert on unexpected SYSTEM-level process creation immediately following wireless network state changes.
How to Mitigate CVE-2024-30078
Immediate Actions Required
- Apply the June 2024 Microsoft security update referenced in the Microsoft CVE-2024-30078 Advisory to all affected Windows builds.
- Prioritize patching for mobile and laptop fleets, conference room systems, and any server with Wi-Fi hardware enabled.
- Validate patch deployment with vulnerability scanners and verify the corresponding KB build number matches the installed OS version.
Patch Information
Microsoft addressed CVE-2024-30078 in the June 11, 2024 Patch Tuesday release. Refer to the Microsoft CVE-2024-30078 Advisory for the specific KB article and build number that corresponds to each affected Windows version. The Vicarius Mitigation Script for CVE-2024-30078 provides automated remediation tooling for environments without centralized patch management.
Workarounds
- Disable the Wi-Fi adapter on systems that do not require wireless connectivity, particularly servers and fixed-location workstations.
- Restrict wireless access to trusted SSIDs and enforce WPA3-Enterprise where supported to reduce attacker proximity opportunities.
- Physically isolate critical systems from areas where untrusted devices can establish wireless adjacency, such as public lobbies and shared floors.
# Disable the wireless adapter on a Windows host where Wi-Fi is not required
netsh interface set interface name="Wi-Fi" admin=disabled
# Verify installed updates include the June 2024 cumulative update
wmic qfe list brief /format:table
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
