Background
The Desktop Window Manager (DWM) is a core Windows component that manages the visual rendering of the Windows desktop. It handles window compositing, animations, and the Aero glass effects. Because it’s a fundamental system process running at high privilege, vulnerabilities in it are valuable for privilege escalation — an attacker with any user-level code execution can use a DWM bug to go from user to SYSTEM.
CVE-2024-30051 was patched by Microsoft in May 2024. Kaspersky discovered it being exploited in the wild as a zero-day and found it being distributed alongside QakBot (also known as Qbot), a well-established banking trojan and malware loader. The exploit was being sold or shared among multiple threat actors before Microsoft had a fix.
Technical Mechanism
The vulnerability is a heap buffer overflow in dwmcore.dll, the DWM Core Library. The overflow occurs during the processing of certain window geometry or compositor state data.
The DWM process runs as DWM-1\DwmApiService or similar at SYSTEM-level privilege. Exploiting this overflow from a low-privileged user context allows:
- Heap corruption in the DWM process’s address space
- Through controlled heap manipulation (heap spraying), overwrite of critical data structures or function pointers
- Code execution within the DWM process — at SYSTEM privilege
- The attacker’s code now runs as SYSTEM on the local machine
This is a local privilege escalation — it requires an attacker to already have code execution as a regular user. In practice, this is typically chained with a phishing or social engineering lure to get initial user-level execution (e.g., QakBot infection), followed by the LPE to gain SYSTEM.
Real-World Exploitation Evidence
Kaspersky’s analysis of the zero-day exploitation found:
- The exploit was distributed as part of a multi-stage payload delivery, with QakBot and DarkMe malware observed alongside it
- Multiple different threat actor clusters appeared to have access to the exploit simultaneously, suggesting it was being sold through underground channels before Microsoft patched it
- The exploit code contained Russian-language strings and comments in some samples analysed, though attribution remains uncertain
- Exploitation predated the May 2024 patch by at least several weeks
The combination of QakBot (a prolific loader used by multiple ransomware affiliates) with a zero-day LPE is concerning — it suggests ransomware operators were equipped with the capability to reliably escalate to SYSTEM on compromised endpoints.
Impact Assessment
- SYSTEM-level code execution on compromised endpoints
- Security tool bypass — SYSTEM access allows disabling AV/EDR products
- Credential dumping — SYSTEM required for LSASS dumping and SAM/AD database access
- Ransomware precursor — privilege escalation to SYSTEM is a standard ransomware deployment prerequisite
- Persistence — SYSTEM-level access enables installation of kernel-mode rootkits and boot-time persistence mechanisms
- Domain escalation path — from SYSTEM on a domain-joined machine, attacks against domain controller (DCSync, etc.) become straightforward
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Windows 10 (21H2, 22H2) | Before May 2024 patches | KB5037771 |
| Windows 11 (21H2, 22H2, 23H2) | Before May 2024 patches | KB5037771, KB5037770 |
| Windows Server 2019 | Before May 2024 patches | KB5037765 |
| Windows Server 2022 | Before May 2024 patches | KB5037782 |
Remediation Steps
- Apply May 2024 Patch Tuesday updates immediately
- If QakBot or similar malware is suspected on endpoints, run full endpoint scans before and after patching
- Check for QakBot indicators of compromise:
- Registry keys under
HKCU\Software\Microsoft\with unusual names - Scheduled tasks with randomised names
- DLL injections in running processes
- Registry keys under
- Monitor for LSASS memory access following exploitation (often indicates credential dumping)
- Deploy endpoint detection and response (EDR) capable of detecting LPE exploitation behaviours
- Use Windows Defender Credential Guard to protect credentials from LSASS dumping post-exploit
Detection Guidance
Endpoint telemetry — look for:
- Unexpected SYSTEM-privileged processes with low-privileged parent processes
- DWM process crashes or restarts (from failed exploit attempts)
dwmcore.dllloading into unusual process memory regions
EDR/SIEM rules:
event_type = "process_create" AND
integrity_level = "System" AND
parent_integrity_level IN ("Medium", "Low") AND
NOT parent_path IN (trusted_elevation_paths)Windows Event Logs:
- Event ID 4688: New process creation with SYSTEM token from non-SYSTEM parent
- Event ID 1000: Application crash in dwm.exe (failed exploit attempts)
Suricata signature (for QakBot C2 that delivers this exploit):
alert tls any any -> any any (msg:"QakBot C2 Communication Possibly Related to CVE-2024-30051 Chain"; tls.sni; content:".top"; endswith; classtype:trojan-activity; sid:2034017; rev:1;)Timeline
| Date | Event |
|---|---|
| Early 2024 | CVE-2024-30051 exploited as zero-day; distributed alongside QakBot |
| May 2024 | Kaspersky discovers and reports zero-day exploitation to Microsoft |
| 14 May 2024 | Microsoft patches CVE-2024-30051 in May Patch Tuesday |
| May 2024 | CISA adds to Known Exploited Vulnerabilities catalogue |
| May 2024 | Kaspersky publishes technical analysis of zero-day |