Security News > 2024 > May > May 2024 Patch Tuesday: Microsoft fixes exploited zero-days (CVE-2024-30051, CVE-2024-30040)

For May 2024 Patch Tuesday, Microsoft has released fixes for 59 CVE-numbered vulnerabilities, including two zero-days actively exploited by attackers.
CVE-2024-30051 is a heap-based buffer overflow vulnerability affecting the Windows DWM Core Library that can be exploited to elevate attackers' privileges on a target system.
"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft says.
CVE-2024-30040 is a vulnerability that allows attackers to bypasses OLE mitigations in Microsoft 365 and Microsoft Office.
"An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user."
Satnam Narang, senior staff research engineer at Tenable, says that exploitation of CVE-2024-30044, the only critical vulnerability fixed this month, requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions first and then take additional steps, "Which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance."
News URL
https://www.helpnetsecurity.com/2024/05/14/patch-tuesday-cve-2024-30051-cve-2024-30040/
Related news
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- Microsoft April 2025 Patch Tuesday fixes exploited zero-day, 134 flaws (source)
- Patch Tuesday: Microsoft Fixes 134 Vulnerabilities, Including 1 Zero-Day (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- April 2025 Patch Tuesday forecast: More AI security introduced by Microsoft (source)
- Microsoft fixes actively exploited Windows CLFS zero-day (CVE-2025-29824) (source)
- March 2025 Patch Tuesday forecast: A return to normalcy (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- URGENT: Microsoft Patches 57 Security Flaws, Including 6 Actively Exploited Zero-Days (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-05-14 | CVE-2024-30051 | Out-of-bounds Write vulnerability in Microsoft products Windows DWM Core Library Elevation of Privilege Vulnerability | 0.0 |
2024-05-14 | CVE-2024-30044 | Deserialization of Untrusted Data vulnerability in Microsoft Sharepoint Server 2016/2019 Microsoft SharePoint Server Remote Code Execution Vulnerability | 0.0 |
2024-05-14 | CVE-2024-30040 | Unspecified vulnerability in Microsoft products Windows MSHTML Platform Security Feature Bypass Vulnerability | 8.8 |