HIGHCVSS7.8

Windows NT OS Kernel Integer Overflow — Local EoP From Low-Privilege User to SYSTEM (CVE-2024-43623)

An integer overflow in the Windows NT kernel lets a low-privilege local user escalate to SYSTEM. Microsoft rates exploitation "More Likely". Apply the November 2024 cumulative update across the fleet — this is a standard chained-exploit kernel EoP that pairs with phishing or any initial-access vector.

Published Nov 12, 2024 · Updated May 16, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who has already obtained any code execution on the host — through a phishing payload, a service exploit, or a malicious RDP user — can use this bug to escalate to SYSTEM. From SYSTEM, the attacker can dump LSASS to extract credentials, disable EDR drivers, install kernel rootkits, and persist indefinitely. Local kernel EoPs like this are the standard "second stage" in modern intrusion chains and are routinely bundled into off-the-shelf post-exploitation frameworks.

How the attack works

An integer overflow in the Windows NT kernel allows a process running as a low-privilege user to corrupt kernel memory and escalate to SYSTEM. Affected: Windows 10/11 and Windows Server 2008 SP2 through Windows Server 2025 prior to the November 2024 Patch Tuesday. The Microsoft advisory rates the vulnerability "Exploitation More Likely" — meaning Microsoft expects reliable exploit code to emerge and be incorporated into commodity attack tooling within roughly 30 days.

Am I affected?Quick check

Probably yes if any of these apply:

●All Windows Servers (multi-user RDS, jump hosts, terminal servers)

●Domain-joined workstations

●Any host an attacker can land low-privilege code on

●Running Windows Server 2008 SP2 through Windows Server 2025, prior to the November 2024 cumulative update

Affected OS versions

Windows Server 2008 SP2Windows Server 2008 R2 SP1Windows Server 2012Windows Server 2012 R2Windows Server 2016Windows Server 2019Windows Server 2022Windows Server 2022 23H2Windows Server 2025

Fixed inNovember 2024 Patch Tuesday cumulative update (see manual_steps for per-OS KB lookup)

Real-world incidentsWhat we've seen

CVE-2024-43623 was patched in the November 2024 Patch Tuesday rollup. Microsoft's "Exploitation More Likely" rating is reserved for bugs with simple, reliable exploit primitives — integer overflows in the kernel typically meet that bar because the path from overflow to controlled write is well-understood. Multiple researchers published kernel-crash PoCs shortly after disclosure; weaponised versions are expected to surface in red-team toolkits.

How to patch

Manual remediation steps

⏱ 30–60 minutes including reboot

Apply the November 2024 cumulative update

Open Microsoft Update Catalog: https://catalog.update.microsoft.com

Search for CVE-2024-43623 to find the current superseding cumulative for your OS

Approve via WSUS / SCCM, or download the MSU and run as Administrator

Restart the server

Defence-in-depth — reduce local-attacker exposure

# Inventory accounts allowed to log on locally to multi-user servers:
secedit /export /cfg local-policy.txt /quiet
Select-String -Path local-policy.txt -Pattern "SeInteractiveLogonRight"

# Remove unnecessary "Allow log on locally" grants:
#   Local Security Policy → Local Policies → User Rights Assignment →
#   "Allow log on locally" and "Allow log on through Remote Desktop Services"

Verify

# Confirm the NT kernel is patched (build at or above November 2024 level):
(Get-Item C:\Windows\System32\ntoskrnl.exe).VersionInfo.FileVersion
(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").UBR

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2024-43623 ↗ MSRC Advisory ↗ NVD