CVE-2024-29187: GitHub: CVE-2024-29187 WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM

Overview

Severity

High (CVSS 7.3)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2024-Jun

Released

2024-06-11

Last Updated

2025-09-02

EPSS Score

0.07% (percentile: 20.8%)

Description

Improper access control in Visual Studio allows an authorized attacker to elevate privileges locally.

FAQ

According to the CVSS metric, user interaction is required (UI:R) and privileges required  is low (PR:L). What does that mean for this vulnerability? An authorized attacker must send the user a malicious file and convince the user to open it. Why is this GitHub CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Wix Toolset software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. What is the mitigation strategy for Microsoft developer toolkits that are affected by this vulnerability? Microsoft is committed to ensuring the security and integrity of our products. We are pleased to announce that an update in reference to the WiX vulnerability (CVE-2024-29187), which affect various kits, has been released. This vulnerability, which allows for binary hijacking when the installer is run as SYSTEM, was publicly disclosed on GitHub in March 2024. Following are the mitigation steps we have taken for each toolkit: Windows Assessment and Deployment Kit (Windows ADK) and Windows PE add-on Update: As of May 29, 2025, mitigations are also available for Windows Assessment and Deployment Kit (Windows ADK) and Windows PE add-on. The WiX vulnerability has been addressed in the following ADK versions: ADK and ADK WinPE Add-on version 10.1.26100.2454 and later ADK and ADK WinPE Add-on version 10.1.25398.1 (Republished in January 2025) ADK and ADK WinPE Add-on for Windows 11, version 22H2 (Republished in May 2025) ADK and ADK WinPE Add-on for Windows Server 2022 (Republished in May 2025) ADK and ADK WinPE Add-on for Windows 10, version 2004 (Republi

Affected Products (29)

Developer Tools

• Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
• Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
• Microsoft Visual Studio 2022 version 17.4
• Microsoft Visual Studio 2022 version 17.6
• Microsoft Visual Studio 2022 version 17.8
• Microsoft Visual Studio 2022 version 17.10
• Windows SDK
• Windows Driver Kit (WDK)
• Windows ADK for Windows 10, version 2004
• Windows ADK for Windows 11, version 23H2
• Windows ADK for Windows 11, version 22H2
• Windows ADK for Windows Server 2022
• Windows PE add-on for ADK for Windows 10 version 1809
• Windows PE add-on for ADK for Windows 10 version 2004
• Windows PE add-on for ADK for Windows 11 version 22H2
• Windows PE add-on for ADK for Windows 11 version 23H2
• Windows ADK for Windows 10, version 1607
• Windows ADK for Windows 10, version 1809
• Windows ADK for Windows 11, version 24H2
• Windows PE add-on for ADK for Windows 11 version 24H2
• Windows PE add-on for ADK for Windows Server 2022

Windows

• Windows 11 HLK 23H2
• Windows HLK, version 1607
• Windows 11 HLK 22H2
• Windows 11 HLK 24H2
• Windows HLK for Windows Server 2019
• Windows HLK, version 1809
• Windows 10 HLK Version 22H2

Azure

• Windows HLK for Windows Server 2022

Security Updates (15)

• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes

Acknowledgments

Zoe Kniskern with Microsoft, <a href="https://twitter.com/sim0nsecurity">Simon (@sim0nsecurity)</a>, Naceri with MSRC Vulnerabilities &amp; Mitigations, Naceri with MSRC Vulnerabilities &amp; Mitigations

Revision History

• 2024-06-11: Information published.
• 2024-08-13: To comprehensively address CVE-2024-29187, Microsoft has released security updates on August 13, 2024 for Microsoft Visual Studio 2017 version 15.9, Microsoft Visual Studio 2019 version 16.11, and Microsoft Visual Studio 2022 version 17.6. Microsoft recommends customers install the updates to be fully protected from the vulnerability.
• 2025-05-13: In the Security Updates table, added Windows Driver Kit (WDK), Windows SDK, Windows 11 HLK 24H2, Windows 11 HLK 22H2, Windows 10 HLK Version 22H2, Windows 10 HLK Version 21H2, Windows HLK for Windows Server 2022, Windows HLK for Windows Server 2019, and Windows HLK Version 1809 because these developer kits are also affected by this vulnerability. Microsoft strongly recommends that customers using these products install the updates to be fully protected from the vulnerability. See the FAQs section of this vulnerability for more information.
• 2025-05-15: Updated the FAQs to further clarify the update guidance for this CVE. This is an informational change only.
• 2025-06-04: In the Security Updates table added the following versions of Windows ADK and ADK WinPE Add-on because these developer kits are also affected by this vulnerability. Microsoft strongly recommends that customers using these products install the updates to be fully protected from the vulnerability. See the FAQs section of this vulnerability for more information: ADK and ADK WinPE Add-on version 10.1.26100.2454 and later ADK and ADK WinPE Add-on version 10.1.25398.1 (Republished in January 2025) ADK and ADK WinPE Add-on for Windows 11, version 22H2 (Republished in May 2025) ADK and ADK WinPE Add-on for Windows Server 2022 (Republished in May 2025) ADK and ADK WinPE Add-on for Windows 10, version 2004 (Republished in May 2025) ADK and ADK WinPE Add-on for Windows 10, version 1809 (Republished in May 2025) ADK for Windows 10, version 1607 (Republished in May 2025)
• 2025-07-08: In the Security Updates table added Windows 11 HLK 24H2 because this developer kit is also affected by this vulnerability. Microsoft strongly recommends that customers using this product install the update to be fully protected from the vulnerability. See the FAQs section of this vulnerability for more information.
• 2025-07-15: In the Security Updates table, added Windows HLK, Version 1607 because this developer kits is also affected by this vulnerability. Microsoft strongly recommends that customers using Windows HLK, Version 1607 install the update to be fully protected from the vulnerability. See the FAQs section of this vulnerability for more information.
• 2025-09-02: Added an acknowledgement. This is an informational change only.