CVE-2024-3566

high-risk
Published 2024-04-10

A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

Do I need to act?

~
7.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (6)

Go
Process Library
Php
Yt-Dlp

Affected Vendors

Php Nodejs Golang Rust-Lang Haskell Yt-Dlp Project

References (15)

Exploit https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-o...
Third Party Advisory https://kb.cert.org/vuls/id/123335
Technical Description https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/eve...
Not Applicable https://www.cve.org/CVERecord?id=CVE-2024-1874
Not Applicable https://www.cve.org/CVERecord?id=CVE-2024-22423
Not Applicable https://www.cve.org/CVERecord?id=CVE-2024-24576
Not Applicable https://www.kb.cert.org/vuls/id/123335
Exploit https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-o...
https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2024/CVE-2024-3566
Third Party Advisory https://kb.cert.org/vuls/id/123335
Technical Description https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/eve...
Not Applicable https://www.cve.org/CVERecord?id=CVE-2024-1874
Not Applicable https://www.cve.org/CVERecord?id=CVE-2024-22423
Not Applicable https://www.cve.org/CVERecord?id=CVE-2024-24576
Not Applicable https://www.kb.cert.org/vuls/id/123335
54
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 9/34 · Low
Exposure 13/34 · Low