CVE-2024-49039

What is Windows Task Scheduler?

Windows Task Scheduler is a built-in Windows service that enables automated execution of programs and scripts at scheduled times or in response to system events. It runs with SYSTEM-level privileges and exposes an RPC interface that applications use to create, modify, and query scheduled tasks. Because it is deeply integrated into Windows and runs at high privilege, it has historically been a target for privilege escalation attacks — CVE-2024-49039 is one of several Task Scheduler vulnerabilities exploited in the wild.

Overview

CVE-2024-49039 is a privilege escalation vulnerability in the Windows Task Scheduler service that allows a low-privileged process running inside an AppContainer sandbox to call privileged RPC functions it should not be able to reach. An attacker who already has low-level code execution (for example, within a sandboxed browser renderer) can exploit this flaw to break out of the sandbox and gain elevated privileges on the host system.

The vulnerability was exploited as a zero-day by RomCom, a Russian-aligned threat actor, chained with CVE-2024-9680 (a Firefox animation timeline use-after-free) to achieve a full remote-to-SYSTEM compromise with no user interaction beyond visiting a malicious webpage. ESET discovered and reported both zero-days in October 2024; Microsoft patched CVE-2024-49039 on November 12, 2024.

Affected Versions

Technical Details

Windows AppContainer is a sandboxing mechanism used by Microsoft Edge, Firefox, and other applications to isolate renderer processes from the rest of the OS. Processes inside an AppContainer run with heavily restricted privileges and are supposed to be blocked from accessing most system resources and APIs.

The Task Scheduler service exposes an RPC endpoint (\pipe\atsvc) that allows clients to manage scheduled tasks. CVE-2024-49039 stems from an improper privilege check (CWE-287) in this RPC interface: certain privileged Task Scheduler RPC functions could be called by a process running inside an AppContainer without being blocked by the sandbox boundary. By calling these functions, an attacker-controlled sandboxed process could schedule tasks that run outside the sandbox with elevated system privileges.

Attack characteristics:

• Authentication required: Low (local code execution inside a sandbox is the precondition)
• Complexity: Low — once code execution is achieved inside the sandbox, the sandbox escape is straightforward
• Scope: Changed — the exploit breaks the AppContainer boundary and affects the host OS context
• Primary use: Second stage in a browser exploit chain; not useful as a standalone remote attack

The CVSS score of 8.8 reflects the Changed scope — the vulnerability allows crossing a security boundary — combined with the complete (High) confidentiality, integrity, and availability impact on the host once the sandbox is escaped.

Discovery

ESET researchers discovered CVE-2024-49039 while investigating an active RomCom campaign in October 2024. They identified both zero-days being chained in the wild and reported them simultaneously: CVE-2024-9680 to Mozilla on October 8, 2024 (patched within one day on October 9), and CVE-2024-49039 to Microsoft on October 8, 2024 (patched on November 12 in the regular Patch Tuesday cycle).

Exploitation Context

The RomCom two-stage zero-day chain:

RomCom (also tracked as Storm-0978, UNC2596, Tropical Scorpius) used CVE-2024-49039 as the second stage of a browser-based drive-by attack:

1. Stage 1 — CVE-2024-9680 (Firefox UAF): Victim visits a malicious RomCom-controlled website. A use-after-free in Firefox's animation timeline component gives the attacker code execution inside the Firefox renderer process, which runs inside an AppContainer sandbox.
2. Stage 2 — CVE-2024-49039 (Task Scheduler sandbox escape): The sandboxed exploit code calls privileged Task Scheduler RPC functions, scheduling a task that runs outside the AppContainer with elevated host privileges. This achieves a full sandbox escape and SYSTEM-level access.

The chain required zero clicks beyond loading the malicious page, worked against fully patched Firefox before Mozilla's October 9 patch, and worked against all supported Windows versions before Microsoft's November 12 patch.

Campaign scope: ESET observed targets in Europe and North America, with victims primarily in government, defense, and energy sectors — consistent with RomCom's known targeting profile. RomCom has been linked to both espionage and ransomware operations (Cuba ransomware).

Remediation

1. Apply November 2024 Patch Tuesday updates — install the November 12, 2024 cumulative update for your Windows version. This is the only complete fix for CVE-2024-49039.
2. Apply Firefox 131.0.2 or later — while CVE-2024-9680 is a separate CVE patched by Mozilla, patching Firefox breaks Stage 1 of the chain and prevents the browser-based entry point. Both patches are needed.
3. Enable automatic Windows Updates — both CVEs were patched promptly; organizations with current patching would have been protected within days of discovery for CVE-2024-9680 and within five weeks for CVE-2024-49039.
4. Review scheduled tasks for anomalies — examine the Task Scheduler library for unexpected tasks created around or after late October 2024, particularly tasks running under SYSTEM that reference unusual executables or scripts.
5. Enable Microsoft Defender for Endpoint behavioral rules — EDR detections for AppContainer escape behavior can flag exploitation attempts even before patches are applied.
6. Restrict outbound RPC — network-level RPC filtering can reduce lateral movement opportunities, though CVE-2024-49039 is exploited locally and does not require network access after initial compromise.