Security News > 2024 > May > May 2024 Patch Tuesday: Microsoft fixes exploited zero-days (CVE-2024-30051, CVE-2024-30040)
For May 2024 Patch Tuesday, Microsoft has released fixes for 59 CVE-numbered vulnerabilities, including two zero-days actively exploited by attackers.
CVE-2024-30051 is a heap-based buffer overflow vulnerability affecting the Windows DWM Core Library that can be exploited to elevate attackers' privileges on a target system.
"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft says.
CVE-2024-30040 is a vulnerability that allows attackers to bypasses OLE mitigations in Microsoft 365 and Microsoft Office.
"An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user."
Satnam Narang, senior staff research engineer at Tenable, says that exploitation of CVE-2024-30044, the only critical vulnerability fixed this month, requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions first and then take additional steps, "Which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance."
News URL
https://www.helpnetsecurity.com/2024/05/14/patch-tuesday-cve-2024-30051-cve-2024-30040/
Related news
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- Microsoft fixes two actively exploited zero-days (CVE-2025-21418, CVE-2025-21391) (source)
- February's Patch Tuesday sees Microsoft offer just 63 fixes (source)
- Microsoft’s Patch Tuesday Fixes 63 Flaws, Including Two Under Active Exploitation (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- Cybercrime gang exploited VeraCore zero-day vulnerabilities for years (CVE-2025-25181, CVE-2024-57968) (source)
- February 2025 Patch Tuesday forecast: New directions for AI development (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-05-14 | CVE-2024-30051 | Out-of-bounds Write vulnerability in Microsoft products Windows DWM Core Library Elevation of Privilege Vulnerability | 0.0 |
| 2024-05-14 | CVE-2024-30044 | Deserialization of Untrusted Data vulnerability in Microsoft Sharepoint Server 2016/2019 Microsoft SharePoint Server Remote Code Execution Vulnerability | 0.0 |
| 2024-05-14 | CVE-2024-30040 | Unspecified vulnerability in Microsoft products Windows MSHTML Platform Security Feature Bypass Vulnerability | 8.8 |