CVE-2024-29059

What is Microsoft .NET Framework?

The Microsoft .NET Framework is the foundational runtime and library stack for Windows applications built with C#, VB.NET, and other .NET languages. It is installed on virtually every enterprise Windows system and underpins a vast number of web applications, desktop applications, and Windows services. .NET Remoting is a legacy inter-process and network communication framework within .NET that allows applications to invoke methods on remote objects. While .NET Remoting was deprecated in favor of WCF and gRPC, many legacy enterprise applications still rely on it. The .NET deserialization attack surface has been a prolific source of critical vulnerabilities over many years.

Overview

CVE-2024-29059 is an information disclosure vulnerability in the Microsoft .NET Framework that exposes an ObjRef (Object Reference) URI through error messages. The ObjRef URI identifies a remotely-accessible .NET object — leaking it enables an attacker to trigger .NET Remoting deserialization against that object reference, ultimately achieving remote code execution. Microsoft patched the vulnerability in March 2024 Patch Tuesday; CISA added it to the KEV catalog in February 2025, approximately 11 months after the patch, confirming active exploitation against unpatched systems.

Affected Versions

Technical Details

CWE-209 (Generation of Error Message Containing Sensitive Information). When a .NET Framework application encounters certain error conditions related to .NET Remoting operations, the framework generates error messages that include the ObjRef URI of the remote object involved in the failed call. An ObjRef encodes the identity and location of a remotely-accessible .NET object registered with the .NET Remoting infrastructure.

An attacker who can trigger the error condition (possible from the network if the application exposes any .NET Remoting-reachable endpoint) receives the ObjRef URI in the error response. With the ObjRef URI, the attacker can directly invoke the remote object and send it a crafted deserialization payload — reaching the .NET deserialization attack surface that has been extensively researched and has known RCE gadget chains (ysoserial.net). The result is unauthenticated remote code execution in the application's security context.

Discovery

Patched in the March 2024 Patch Tuesday cycle. The nearly 11-month gap between patch and CISA KEV addition suggests the vulnerability was reverse-engineered from the patch and weaponized against enterprise targets running legacy .NET Framework applications that had not been updated. The CISA KEV addition in February 2025 confirmed this exploitation was occurring in the wild.

Exploitation Context

.NET Remoting deserialization vulnerabilities are particularly dangerous in enterprise environments because many legacy line-of-business applications still use .NET Remoting for inter-component communication, and these applications are often maintained by vendors who release updates infrequently. The ObjRef leak provides the address resolution step needed to target the deserialization endpoint, making this a more accessible exploit than pure deserialization attacks that require blind endpoint guessing.

Remediation

1. Apply the March 2024 .NET Framework security updates (Patch Tuesday, March 12, 2024) to all Windows systems.
2. Apply updates to all supported .NET Framework versions — multiple versions receive separate patches and all must be updated.
3. Audit legacy applications for use of .NET Remoting and plan migration to modern communication frameworks (gRPC, WCF, REST) where feasible.
4. Use network segmentation and firewall rules to restrict access to .NET Remoting endpoints — these should not be internet-facing.
5. Review application error logging configuration to ensure detailed error messages containing sensitive identifiers are not returned to unauthenticated callers.