Search
On this page ▾
CVE-2024-21338 — Microsoft Windows Kernel Exposed IOCTL with Insufficient Access Control Vulnerability

CVE-2024-21338

Windows AppLocker Driver (appid.sys) — IOCTL Access Control Flaw Enables SYSTEM LPE; Lazarus Group FudModule Rootkit Deployment
⚠️ CVSS 3.1  7.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is the Windows AppLocker Kernel Driver (appid.sys)?

The Windows AppLocker Application Identity driver (appid.sys) is a kernel-mode driver that supports Windows AppLocker — the feature that enforces application control policies restricting which programs can execute on a system. appid.sys exposes an IOCTL (Input/Output Control) interface that allows user-mode processes to interact with the AppLocker enforcement engine. Because kernel drivers expose IOCTLs to user-mode, the access control on these IOCTLs is critical — insufficient access controls allow low-privilege processes to invoke kernel operations that should be restricted to privileged callers.

Overview

CVE-2024-21338 is a zero-day vulnerability in the Windows AppLocker kernel driver (appid.sys) involving an exposed IOCTL with insufficient access control and an untrusted pointer dereference. It was discovered and exploited by North Korea's Lazarus Group to deploy the FudModule kernel rootkit — a sophisticated tool that manipulates Windows security telemetry and disables EDR sensors from the kernel level. Avast researchers discovered the exploitation in the wild and attributed it to Lazarus Group. This is the first Lazarus FudModule deployment that used a genuine kernel zero-day (as opposed to the BYOVD technique used in earlier FudModule deployments).

Affected Versions

OS Status
Windows 10 (all supported versions) Patched February 2024 Patch Tuesday
Windows 11 (all supported versions) Patched February 2024 Patch Tuesday
Windows Server 2019 and later Patched February 2024 Patch Tuesday

Technical Details

CWE-822 (Untrusted Pointer Dereference). The appid.sys driver's IOCTL handler processes requests from user-mode processes. A flaw in access control validation allows a low-privilege process to send IOCTLs that should be restricted to higher-privilege callers. Additionally, the IOCTL handler dereferences a pointer provided in the IOCTL input buffer without adequate validation — an untrusted pointer dereference that allows an attacker to specify an arbitrary kernel address to read from or write to.

Lazarus Group's exploitation path: low-privilege user process → send crafted IOCTL to appid.sys → trigger untrusted pointer dereference → achieve kernel write primitive → overwrite kernel security objects to gain SYSTEM → deploy FudModule rootkit which disables ETW kernel telemetry, removes EDR minifilter callbacks, and neutralizes Windows security mechanisms.

FudModule marks a significant evolution: earlier versions (2022–2023) used Bring Your Own Vulnerable Driver (BYOVD) to achieve kernel access; CVE-2024-21338 allowed the same rootkit to be deployed without bringing an external driver, reducing detection risk significantly.

Discovery

Discovered by Jan Vojtěšek and the Avast Threat Research team, who identified FudModule samples in the wild that exploited a new technique (real kernel zero-day rather than BYOVD) and reverse-engineered the appid.sys vulnerability. Avast reported to Microsoft, which patched in February 2024 Patch Tuesday.

Exploitation Context

The Lazarus Group (North Korea's primary APT, also known as APT38, Hidden Cobra) uses FudModule rootkit deployments as part of cryptocurrency theft operations targeting financial institutions and cryptocurrency exchanges. The rootkit's ability to disable Windows security telemetry and EDR sensors makes post-exploitation activity invisible, enabling prolonged access. CVE-2024-21338 was a significant capability upgrade: a zero-day kernel vulnerability without requiring a vulnerable driver binary makes the attack harder to detect and removes a common BYOVD detection signal.

Remediation

  1. Apply the February 2024 Windows security updates (Patch Tuesday, February 13, 2024) immediately.
  2. Enable virtualization-based security (VBS) and Hypervisor-Protected Code Integrity (HVCI) — these protect kernel code integrity and significantly complicate kernel rootkit deployment.
  3. Deploy EDR solutions with self-protection mechanisms (kernel tamper protection) that resist FudModule's callback removal techniques.
  4. Monitor for AppLocker-related unusual kernel events and for ETW telemetry gaps that may indicate FudModule is suppressing security events.
  5. Cryptocurrency industry organizations should treat Lazarus Group as an active threat and verify full patch compliance for this and related CVEs.

Key Details

PropertyValue
CVE ID CVE-2024-21338
Vendor / Product Microsoft — Windows
NVD Published2024-02-13
NVD Last Modified2025-10-28
CVSS 3.1 Score7.8
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-822 find similar ↗
CISA KEV Added2024-03-04
CISA KEV Deadline2024-03-25
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2024-03-25. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-02-13Microsoft releases February 2024 Patch Tuesday patching CVE-2024-21338
2024-03-04Added to CISA KEV catalog; Avast publishes attribution to Lazarus Group / FudModule rootkit
2024-03-25CISA BOD 22-01 remediation deadline

References

ResourceType
Microsoft Security Advisory — CVE-2024-21338 Vendor Advisory
NVD — CVE-2024-21338 Vulnerability Database
CISA KEV Catalog Entry US Government
Avast — Lazarus and the FudModule Rootkit: CVE-2024-21338 Security Research

Last updated: 2026-05-20

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML