CVE-2024-38049: Windows 10 1507 MSDTC RCE Vulnerability

CVE-2024-38049 Overview

CVE-2024-38049 is a remote code execution vulnerability in the Windows Distributed Transaction Coordinator (MSDTC) service. The flaw affects a broad range of supported Microsoft Windows desktop and server releases, from Windows 10 1507 through Windows 11 23H2 and Windows Server 2008 through Server 2022 23H2. The vulnerability is associated with [CWE-73: External Control of File Name or Path] and [CWE-610: Externally Controlled Reference to a Resource in Another Sphere]. An unauthenticated attacker on the network can trigger code execution against the MSDTC service when specific conditions are met. Microsoft issued an advisory and security update on the July 2024 Patch Tuesday cycle.

Critical Impact

Successful exploitation allows network-based remote code execution against MSDTC with full impact to confidentiality, integrity, and availability of the targeted Windows host.

Affected Products

• Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
• Microsoft Windows 11 (21H2, 22H2, 23H2)
• Microsoft Windows Server 2008, 2012, 2012 R2, 2016, 2019, 2022, and 2022 23H2

Discovery Timeline

• 2024-07-09 - CVE-2024-38049 published to NVD and addressed in Microsoft's July 2024 security update
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-38049

Vulnerability Analysis

The vulnerability resides in the Microsoft Distributed Transaction Coordinator (MSDTC) service, which coordinates transactions that span multiple resource managers across networked Windows hosts. MSDTC listens on dynamically assigned RPC endpoints and brokers two-phase commit operations between transaction participants. The defect allows an attacker to influence how MSDTC resolves external resource references handled by the service, mapping to weaknesses categorized as [CWE-73] and [CWE-610]. When the service processes attacker-controlled input that designates a file name, path, or external resource, the trust boundary between the caller and the privileged service is crossed. Exploitation results in code execution in the context of the MSDTC service on the target host.

Root Cause

The root cause is improper validation of externally controlled references inside MSDTC's handling of transaction-related resources. Because MSDTC accepts inputs supplied over the network through RPC, an attacker can steer the service toward a resource location of their choosing. The combination of external file/path control [CWE-73] and a reference crossing trust spheres [CWE-610] enables the service to load or act on adversary-controlled content.

Attack Vector

The attack vector is the network. No prior authentication and no user interaction are required, however attack complexity is high because the attacker must win a race or satisfy specific environmental preconditions tied to MSDTC's transaction state. A typical exploitation path requires reachability to the MSDTC RPC endpoint, often exposed in Active Directory domains, clustered SQL Server deployments, and enterprise application servers that participate in distributed transactions. There are no public proof-of-concept exploits published in ExploitDB, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog at the time of writing.

No verified public exploit code is available for this vulnerability. Refer to the Microsoft Security Update CVE-2024-38049 advisory for additional technical context.

Detection Methods for CVE-2024-38049

Indicators of Compromise

• Unexpected child processes spawned by msdtc.exe, especially command interpreters such as cmd.exe, powershell.exe, or script hosts.
• Outbound or lateral RPC traffic to TCP port 135 and the dynamic MSDTC endpoint range from hosts that do not normally initiate distributed transactions.
• MSDTC service crashes, restarts, or transaction log anomalies in the Windows Application and System event logs without a corresponding business workload.
• New or modified files in %SystemRoot%\System32\MsDtc\ or unexpected MSDTC log entries referencing remote UNC paths.

Detection Strategies

• Monitor process creation events (Windows Event ID 4688, Sysmon Event ID 1) where the parent image is msdtc.exe and the child is a scripting or LOLBin process.
• Inspect RPC activity targeting the MSDTC interface UUID 906B0CE0-C70B-1067-B317-00DD010662DA from untrusted networks or unexpected source hosts.
• Correlate authentication-less network connections to RPC endpoint mapper (port 135) with subsequent loads of MSDTC-related DLLs such as msdtcprx.dll and mtxoci.dll.

Monitoring Recommendations

• Enable command-line auditing and Sysmon process and image-load logging on servers running MSDTC, including SQL Server, BizTalk, and clustered application hosts.
• Forward Windows Security, System, and Sysmon logs to a centralized analytics platform and alert on anomalous MSDTC behavior.
• Track exposure of MSDTC RPC endpoints with periodic external and internal scans to identify hosts that should not have the service reachable.

How to Mitigate CVE-2024-38049

Immediate Actions Required

• Apply the July 2024 Microsoft security update that addresses CVE-2024-38049 across all supported Windows desktop and server SKUs listed in the advisory.
• Inventory hosts that expose the MSDTC service over the network and prioritize patching for domain controllers, database servers, and clustered application hosts.
• Restrict inbound access to TCP port 135 and the MSDTC RPC dynamic port range at host and network firewalls, allowing only required transaction partners.
• Disable MSDTC (Distributed Transaction Coordinator service) on servers that do not require distributed transactions.

Patch Information

Microsoft released fixes for CVE-2024-38049 as part of the July 9, 2024 security update cycle. Patches are available for all listed Windows 10, Windows 11, and Windows Server versions through Windows Update, WSUS, and the Microsoft Update Catalog. Consult the Microsoft Security Update CVE-2024-38049 advisory for KB article numbers tied to each affected build.

Workarounds

• Block inbound RPC endpoint mapper (TCP 135) and configure the MSDTC RPC port range to a narrow, firewalled range using dcomcnfg and registry settings.
• Set the MSDTC service startup type to Disabled and stop the service on hosts that do not participate in distributed transactions.
• Segment networks so that MSDTC traffic is permitted only between explicitly authorized transaction participants, denying broad east-west access.

# Configuration example: disable MSDTC where not required and restrict the RPC port range
sc.exe stop MSDTC
sc.exe config MSDTC start= disabled

# Constrain MSDTC RPC dynamic ports (run in elevated PowerShell)
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Rpc\Internet' -Name 'Ports' -Value @('5000-5020') -Type MultiString
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Rpc\Internet' -Name 'PortsInternetAvailable' -Value 'Y'
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Rpc\Internet' -Name 'UseInternetPorts' -Value 'Y'

# Block external access to RPC endpoint mapper
New-NetFirewallRule -DisplayName 'Block RPC EPM Inbound' -Direction Inbound -Protocol TCP -LocalPort 135 -Action Block