CVE-2024-49059: Microsoft 365 Apps Privilege Escalation

CVE-2024-49059 Overview

CVE-2024-49059 is an elevation of privilege vulnerability affecting Microsoft Office and Microsoft 365 Apps. The flaw stems from a combination of link-following behavior [CWE-59] and a race condition [CWE-362] during file operations performed by Office components. An authenticated local attacker can leverage the race window to redirect file operations through a symbolic link and gain elevated privileges on the host.

Microsoft disclosed the issue through its Security Update Guide and assigned it a CVSS 3.1 base score of 7.0. Exploitation requires local access and successful timing of the race condition, which raises attack complexity but does not require user interaction.

Critical Impact

Successful exploitation allows a local, authenticated attacker to escalate privileges and compromise the confidentiality, integrity, and availability of the affected system through Office file-handling logic.

Affected Products

• Microsoft 365 Apps for Enterprise
• Microsoft Office 2016 and Microsoft Office 2019
• Microsoft Office Long Term Servicing Channel (LTSC) 2021 and LTSC 2024

Discovery Timeline

• 2024-12-12 - CVE-2024-49059 published to NVD
• 2025-01-08 - Last updated in NVD database

Technical Details for CVE-2024-49059

Vulnerability Analysis

The vulnerability combines two weakness classes that frequently appear together in Windows privilege escalation issues. CWE-59 covers improper link resolution before file access, commonly known as link following. CWE-362 covers concurrent execution using shared resources with improper synchronization, more widely recognized as a race condition.

Microsoft Office performs file system operations during installation, update, repair, and document handling routines. When these operations write to predictable paths without atomic checks, an attacker holding low-privileged local access can substitute a target path with a symbolic link between the check and the use. Office then performs the privileged write against an attacker-chosen location.

The attacker must win a narrow timing window, which Microsoft reflects in the high attack complexity rating. Reliable exploitation typically requires opportunistic locks or filter drivers to stall the privileged operation while the link swap completes.

Root Cause

The root cause is a time-of-check to time-of-use (TOCTOU) flaw in Office file handling. The product validates a path or its attributes before opening the file but does not hold the handle or enforce reparse-point restrictions during the operation. An attacker replaces the path with a symbolic link in the gap between validation and use.

Attack Vector

The attack vector is local. A standard user account on the workstation creates a junction or symbolic link in a directory writable to that user, points it at a SYSTEM-owned or otherwise protected file, and triggers the Office routine that performs the privileged write. When the race wins, Office writes or modifies content on the protected target, which the attacker leverages for code execution under a higher integrity level.

No network access or user interaction is required. Public proof-of-concept code is not currently available, and the CVE is not listed on the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2024-49059

Indicators of Compromise

• Creation of symbolic links, junctions, or hard links by non-administrative users inside Office working directories under %LOCALAPPDATA%\Microsoft\Office or %PROGRAMDATA%\Microsoft.
• Office processes such as winword.exe, excel.exe, or OfficeClickToRun.exe writing to paths outside their normal scope, including C:\Windows\System32 or C:\Program Files.
• Unexpected privilege transitions where a child process spawned by an Office binary runs at higher integrity than the parent user session.

Detection Strategies

• Hunt for CreateSymbolicLink and mklink activity originating from non-administrative user contexts followed by Office process file writes within a short time window.
• Correlate Sysmon Event ID 11 (FileCreate) and Event ID 1 (ProcessCreate) entries to identify Office processes writing to protected locations soon after link creation.
• Apply Windows Defender Application Control or AppLocker audit logs to flag Office binaries opening reparse points in user-writable directories.

Monitoring Recommendations

• Enable command-line auditing and Sysmon across endpoints running Microsoft 365 Apps and Office LTSC, with rules targeting reparse point creation.
• Forward Office Click-to-Run and Windows Installer logs to a centralized SIEM for correlation with privilege transition events.
• Track installed Office build numbers across the estate and alert on hosts still running pre-December 2024 builds.

How to Mitigate CVE-2024-49059

Immediate Actions Required

• Apply the December 2024 Microsoft Office security updates referenced in the Microsoft CVE-2024-49059 Advisory to all affected SKUs.
• Inventory all hosts running Microsoft 365 Apps, Office 2016, Office 2019, Office LTSC 2021, and Office LTSC 2024, then prioritize patching on multi-user and shared workstations.
• Restrict local logon rights and remove unnecessary administrative accounts on systems where Office is installed to reduce the population of users who can stage the race.

Patch Information

Microsoft released fixed builds through the Office Click-to-Run service and Microsoft Update for the affected channels. Administrators should validate that endpoints report a December 2024 or later Office build and confirm Click-to-Run update channels are unblocked at the network layer. Refer to the Microsoft Security Update Guide entry for CVE-2024-49059 for exact build numbers per channel.

Workarounds

• Disable the SeCreateSymbolicLinkPrivilege for standard users through Group Policy at Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment until patches are deployed.
• Enforce least privilege on Office working directories and remove write access for non-administrative accounts wherever feasible.
• Where patching is delayed, monitor for reparse point abuse on affected endpoints and quarantine hosts exhibiting suspicious Office file-handling behavior.

# Verify installed Office Click-to-Run build on a Windows endpoint
reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /v VersionToReport

# Audit accounts granted the symbolic link creation privilege
secedit /export /areas USER_RIGHTS /cfg C:\Temp\user_rights.inf
findstr /I "SeCreateSymbolicLinkPrivilege" C:\Temp\user_rights.inf