Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-43515

CVE-2024-43515: Windows 10 1507 iSCSI DOS Vulnerability

CVE-2024-43515 is a denial of service vulnerability in Microsoft Windows 10 1507 affecting the iSCSI component. Attackers can exploit this flaw to disrupt system availability. This article covers technical details, impact, and mitigation.

Published:

CVE-2024-43515 Overview

CVE-2024-43515 is a denial of service vulnerability in the Microsoft Windows Internet Small Computer Systems Interface (iSCSI) component. The flaw is classified as uncontrolled resource consumption [CWE-400] and affects supported Windows client and server releases. A remote, unauthenticated attacker can reach the vulnerable service over the network and exhaust system resources, rendering the host unavailable. Microsoft published the advisory on October 8, 2024 as part of the monthly security update cycle.

Critical Impact

Remote, unauthenticated attackers can disrupt availability of Windows hosts running the iSCSI service, with no user interaction required and low attack complexity.

Affected Products

  • Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
  • Microsoft Windows 11 (21H2, 22H2, 23H2, 24H2)
  • Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, and 2022 23H2

Discovery Timeline

  • 2024-10-08 - CVE-2024-43515 published to NVD and Microsoft releases security patch
  • 2024-10-17 - Last updated in NVD database

Technical Details for CVE-2024-43515

Vulnerability Analysis

The vulnerability resides in the Windows iSCSI implementation, which provides block-level storage access over IP networks. iSCSI listens on TCP port 3260 by default and processes protocol data units (PDUs) from initiators. An attacker who can deliver crafted traffic to the iSCSI service triggers uncontrolled resource consumption, leading to a denial of service condition on the target host.

Because iSCSI underpins storage connectivity for virtualization, database, and backup workloads, loss of availability on an iSCSI target or initiator can cascade into broader outages across dependent services and clustered systems.

Root Cause

The root cause is mapped to [CWE-400] Uncontrolled Resource Consumption. The iSCSI service fails to enforce sufficient limits on a resource consumed during PDU processing, allowing remote input to drive memory, CPU, or handle usage to exhaustion. Microsoft has not released technical specifics beyond the advisory.

Attack Vector

Exploitation is network-based, requires no privileges, and requires no user interaction. An attacker reaches the iSCSI listener directly and submits malformed or excessive requests. The EPSS score of 2.23% places the CVE in approximately the 80th percentile for exploitation likelihood, though no public exploit code or in-the-wild activity has been reported. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

No verified proof-of-concept code is publicly available. Refer to the Microsoft Security Advisory for vendor-published technical details.

Detection Methods for CVE-2024-43515

Indicators of Compromise

  • Unexpected restarts, hangs, or service stops of the Microsoft iSCSI Initiator Service (MSiSCSI) or iSCSI Target Server (WTSvc).
  • Spikes in inbound TCP connections or malformed PDUs directed at port 3260 from untrusted networks.
  • Event log entries indicating resource exhaustion, memory allocation failures, or repeated session terminations on iSCSI-enabled hosts.

Detection Strategies

  • Monitor Windows Event Logs under Microsoft-Windows-iSCSITarget and Microsoft-Windows-iSCSI channels for abnormal volumes of session, login, or error events.
  • Inspect network telemetry for unauthorized sources connecting to TCP 3260, especially from outside storage VLANs.
  • Correlate sudden availability loss of storage-dependent workloads with iSCSI service state changes.

Monitoring Recommendations

  • Baseline normal iSCSI initiator and target traffic so deviations in connection volume or session duration are visible.
  • Alert on repeated service crashes or restarts of MSiSCSI or the iSCSI Target Server within short time windows.
  • Track patch deployment status for the October 2024 Windows security updates across all servers exposing iSCSI.

How to Mitigate CVE-2024-43515

Immediate Actions Required

  • Apply the October 2024 Microsoft security updates to every affected Windows client and server build listed in the advisory.
  • Identify all hosts running the iSCSI Initiator Service or iSCSI Target Server and prioritize patching for internet-exposed or DMZ systems.
  • Restrict access to TCP 3260 using host and network firewalls so only authorized initiators and targets can communicate.

Patch Information

Microsoft released fixes on October 8, 2024 through the standard Windows Update channels. Refer to the Microsoft Security Advisory for the specific KB articles that correspond to each affected Windows version.

Workarounds

  • Disable the iSCSI Initiator Service (MSiSCSI) and iSCSI Target Server roles on systems that do not require them.
  • Segment storage traffic onto isolated VLANs and require IPsec or CHAP authentication for iSCSI sessions where supported.
  • Block TCP 3260 at perimeter and east-west firewalls except between explicitly authorized initiator and target pairs.
bash
# Disable the iSCSI Initiator Service on hosts that do not require it
Set-Service -Name MSiSCSI -StartupType Disabled
Stop-Service -Name MSiSCSI -Force

# Restrict inbound iSCSI traffic to authorized storage subnets only
New-NetFirewallRule -DisplayName "Block-iSCSI-Untrusted" -Direction Inbound -Protocol TCP -LocalPort 3260 -RemoteAddress "Any" -Action Block

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne