What is Windows Error Reporting?
Windows Error Reporting (WER) is a Windows system service that collects diagnostic data when applications crash or encounter errors, then offers to send crash reports to Microsoft. WER runs with SYSTEM privileges to access memory dumps, process information, and system state from any running process — including privileged system processes. Because WER creates temporary files and directories with SYSTEM-level permissions during crash report generation, improper privilege management in WER creates a path for local privilege escalation where a low-privilege process can influence WER's SYSTEM-level file operations.
Overview
CVE-2024-26169 is an improper privilege management vulnerability in the Windows Error Reporting Service that allows a local attacker with standard user privileges to escalate to SYSTEM. Microsoft patched it in March 2024 Patch Tuesday; CISA added it to the KEV catalog in June 2024, three months later, with confirmed exploitation by the Black Basta ransomware group. Symantec researchers documented Black Basta using CVE-2024-26169 as a privilege escalation step in ransomware deployment chains, and noted that the exploit tool they found had a compilation timestamp that predated the patch — suggesting Black Basta may have had access to this exploit before it was publicly disclosed.
Affected Versions
| OS | Status |
|---|---|
| Windows 10 (all supported versions) | Patched March 2024 Patch Tuesday |
| Windows 11 (all supported versions) | Patched March 2024 Patch Tuesday |
| Windows Server 2016 and later | Patched March 2024 Patch Tuesday |
Technical Details
CWE-269 (Improper Privilege Management). The Windows Error Reporting service creates and manages files and registry keys with SYSTEM-level permissions during its crash reporting workflow. A flaw in how WER manages the permissions or ownership of these objects allows a low-privilege attacker to: either create a file or registry key that WER later accesses with SYSTEM privileges (planting attacker-controlled content), or leverage WER's privileged file operations to write to locations that a standard user cannot normally access. The result is a controlled write to a privileged location that can be used to achieve SYSTEM access — for example, by writing a malicious DLL to a SYSTEM-loaded path or overwriting a privilege-related registry key.
The Low Attack Complexity and Low Privilege Required ratings indicate this is a reliable LPE exploitable from any standard user account.
Discovery
The Symantec Threat Hunter Team documented exploitation by Black Basta and noted the exploit tool's compilation timestamp predated the March 2024 patch. This pre-patch timestamp indicates Black Basta either independently discovered the vulnerability or obtained it through a zero-day broker, exploiting it before Microsoft became aware and patched it.
Exploitation Context
Black Basta is a prolific ransomware-as-a-service (RaaS) operation responsible for hundreds of attacks against enterprise targets since 2022. Their typical attack chain: phishing or initial access purchase → deploy QakBot or other loader → use LPE exploit to gain SYSTEM → deploy Cobalt Strike → harvest credentials → deploy Black Basta ransomware. CVE-2024-26169 serves as the LPE step: after gaining a low-privilege foothold via phishing, attackers escalate to SYSTEM to disable security services, delete shadow copies, and deploy the encryptor with full administrative control.
The three-month gap between patch and CISA KEV addition (March to June) reflects the typical time for ransomware groups to reverse-engineer patches and confirm exploitation in production environments.
Remediation
- Apply the March 2024 Windows security updates (Patch Tuesday, March 12, 2024) to all affected systems immediately.
- Prioritize patching systems that have not received Windows updates since February 2024 — these are at active risk of exploitation by Black Basta and similar groups.
- Enable virtualization-based security (VBS) and Hypervisor-Protected Code Integrity (HVCI) to increase the difficulty of privilege escalation exploits.
- Monitor for privilege escalation indicators: SYSTEM-level processes spawned from user-level parent processes, unusual WER-related file activity, and Cobalt Strike beacon signatures.
- Ensure EDR solutions are deployed with tamper protection enabled — Black Basta specifically targets EDR disabling once SYSTEM access is achieved.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2024-26169 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2024-03-12 |
| NVD Last Modified | 2025-10-28 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-269 find similar ↗ |
| CISA KEV Added | 2024-06-13 |
| CISA KEV Deadline | 2024-07-04 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2024-03-12 | Microsoft releases March 2024 Patch Tuesday patching CVE-2024-26169 |
| 2024-06-13 | Added to CISA Known Exploited Vulnerabilities catalog; Symantec publishes attribution to Black Basta ransomware |
| 2024-07-04 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Advisory — CVE-2024-26169 | Vendor Advisory |
| NVD — CVE-2024-26169 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Symantec — Black Basta Ransomware Uses CVE-2024-26169 | Security Research |