CVE-2024-30051

What is the Windows DWM Core Library?

The Desktop Window Manager (DWM) is a Windows system component responsible for compositing and rendering the visual desktop — managing transparency, live thumbnails, window animations, and the GPU-accelerated rendering pipeline for the Windows shell. dwmcore.dll runs as a privileged system service (dwm.exe) under the SYSTEM account and processes rendering state from all logged-in user sessions. Because DWM runs at SYSTEM privilege and receives input from user-mode processes for rendering, heap corruption vulnerabilities in dwmcore.dll that can be triggered from user-mode provide a reliable path to SYSTEM privilege escalation.

Overview

CVE-2024-30051 is a zero-day heap buffer overflow vulnerability in the Windows Desktop Window Manager Core Library (dwmcore.dll) that allows a local, low-privileged attacker to escalate to SYSTEM. Microsoft and CISA disclosed it simultaneously on May 14, 2024 (May Patch Tuesday), confirming active exploitation. Kaspersky discovered the vulnerability being exploited in the wild and linked it to QakBot operators who used it to deploy Cobalt Strike after gaining initial access via phishing — marking one of QakBot's resurgence activities following the August 2023 law enforcement takedown. Uniquely, three independent research teams submitted the same bug concurrently, suggesting it was being used by multiple threat actors.

Affected Versions

Technical Details

CWE-122 (Heap-Based Buffer Overflow). The dwmcore.dll DWM Core Library processes rendering commands from user-mode processes. A flaw in a size calculation or bounds check during rendering operation processing allows an attacker to trigger a heap buffer overflow — writing beyond the allocated buffer into adjacent heap memory. On Windows, the low-fragmentation heap (LFH) and other heap management features make controlled heap overflows more difficult than stack overflows, but dedicated exploit code can craft the heap layout to place target objects adjacent to the overflowed buffer and overwrite them reliably.

Because DWM runs at SYSTEM privilege, the heap overflow in dwmcore.dll corrupts memory in the SYSTEM process context — allowing the attacker to overwrite function pointers or security tokens in the DWM process heap to escalate their own process token. The Low Attack Complexity (AC:L) with Low Privileges Required (PR:L) indicates this is reliably exploitable from a standard user session.

Discovery

Discovered independently by three research teams: Kaspersky's GReAT (Global Research and Analysis Team), DBAPPSecurity, and Mandiant — an unusual occurrence suggesting the vulnerability was being actively used by multiple threat actors simultaneously when it was discovered. Kaspersky identified it while investigating a QakBot-linked attack chain where CVE-2024-30051 was used to escalate from phishing-delivered malware to SYSTEM before deploying Cobalt Strike beacons.

Exploitation Context

QakBot (also known as QBot/Pinkslipbot) has a long history as a banking trojan and initial access broker for ransomware groups including Black Basta and Conti. After the August 2023 FBI takedown operation (Operation Duck Hunt), QakBot operators resumed activity with updated infrastructure and new exploit capabilities — CVE-2024-30051 was part of this resurgence. The exploitation pattern: phishing email delivers QakBot → QakBot uses CVE-2024-30051 to escalate to SYSTEM → Cobalt Strike beacon is deployed for hands-on-keyboard operations → ransomware affiliates purchase access.

The simultaneous discovery by three different teams (Kaspersky, DBAPPSecurity, Mandiant) strongly suggests CVE-2024-30051 was widely circulating among cybercriminal actors at the time of disclosure.

Remediation

1. Apply the May 2024 Windows security updates (Patch Tuesday, May 14, 2024) to all affected systems immediately.
2. Enable virtualization-based security (VBS) and Hypervisor-Protected Code Integrity (HVCI) — these increase the difficulty of kernel-level exploitation and heap corruption attacks.
3. Deploy endpoint detection and response (EDR) tools with Cobalt Strike detection signatures — Cobalt Strike beacons have well-documented indicators that EDR solutions can detect post-exploitation.
4. Block phishing vectors (QakBot's primary delivery mechanism): enforce email security controls, disable macro execution in Office documents from the internet, and train users to recognize phishing lures.
5. Monitor for unusual privilege escalation events — SYSTEM-level processes spawned from user-level parent processes, particularly following email or download events.