CVE-2024-43572

What is Windows Management Console?

Windows Management Console (MMC) is a built-in Windows administration framework that hosts snap-in tools for managing Windows components, Group Policy, Active Directory, certificates, disk management, and many other system management tasks. MMC uses .msc files (Microsoft Management Console snap-in files) to describe which snap-ins to load and how to configure them. MMC snap-in files are routinely shared by administrators and downloaded from the internet as legitimate administrative tools — making .msc files an effective phishing vector when a vulnerability allows a malicious .msc file to execute code upon opening.

Overview

CVE-2024-43572 is a remote code execution vulnerability in Windows Management Console that is triggered when a user opens a maliciously crafted .msc file. The attack vector is local (file-based), requiring user interaction to open the file — consistent with phishing or spear-phishing delivery. Microsoft and CISA simultaneously disclosed this as a zero-day on October 8, 2024 (Patch Tuesday), with CISA's same-day KEV addition confirming in-the-wild exploitation before the patch was released. The October 2024 Patch Tuesday update also added a warning prompt when opening .msc files from the internet as a defense-in-depth measure.

Affected Versions

Technical Details

CWE-707 (Improper Neutralization). The Windows Management Console processes .msc XML-based configuration files that specify snap-in components and their parameters. A flaw in MMC's parsing or processing of these files allows a specially crafted .msc file to cause code execution when opened. The local file-based attack vector (AV:L) combined with user interaction required (UI:R) indicates the exploitation path is through social engineering: an attacker delivers a malicious .msc file via email, download link, or file share, and tricks a user — often an IT administrator who regularly works with .msc files — into opening it.

Post-patch, Microsoft introduced a security warning prompt for .msc files from the internet zone, analogous to the Mark-of-the-Web controls applied to other file types. The October 2024 patch also hardens MMC snap-in loading to prevent untrusted snap-ins from being instantiated.

Discovery

Confirmed as a zero-day by Microsoft's simultaneous KEV/patch release on October 8, 2024. The specific researcher or attribution for this vulnerability was not publicly disclosed by Microsoft.

Exploitation Context

The simultaneous Patch Tuesday and KEV addition confirms active exploitation before the patch was available. The most likely exploitation scenario is targeted spear-phishing against Windows IT administrators and system managers — users who routinely open .msc files for legitimate administrative tasks and may not scrutinize a .msc file from an unfamiliar source. Compromise of an administrator's workstation provides an attacker with elevated local privileges and typically access to Active Directory management tools, domain controller connections, and privileged credential stores.

Remediation

1. Apply the October 2024 Windows security updates (Patch Tuesday, October 8, 2024) — this patches the vulnerability and adds the warning prompt for internet-sourced .msc files.
2. Train administrators to be suspicious of .msc files received via email or downloaded from the internet, even from seemingly legitimate sources.
3. Consider blocking .msc file execution for non-administrative users via AppLocker or Windows Defender Application Control (WDAC) policies.
4. Enable SmartScreen and Attachment Manager (Mark-of-the-Web) controls to ensure warning prompts appear on files downloaded from the internet.
5. Review endpoint detection logs for MMC execution from unusual parent processes (email client, browser, document viewer) which may indicate exploitation attempts.