Critical Security Flaw Exposes Windows 11 24H2 Users to Password Theft and Antivirus Bypass
Critical Security Flaw Exposes Windows 11 24H2 Users to Password Theft and Antivirus Bypass
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Critical Security Flaw Exposes Windows 11 24H2 Users to Password Theft and Antivirus Bypass
September 29, Security researchers at Zero Solarium have uncovered a significant vulnerability in Windows 11 version 24H2 that allows attackers to abuse the legitimate Windows file WerFaultSecure.exe to steal cached passwords and disable security software.
The vulnerability exploits a component of Windows Error Reporting (WER) that operates with Protected Process Light (PPL) privileges—among the highest permission levels in the Windows operating system. By running a vulnerable WerFaultSecure.exe binary originally compiled for Windows 8.1 under Windows 11, attackers can obtain unencrypted memory dumps of the Local Security Authority Subsystem Service (LSASS), which stores user credentials in memory.
Dual-Threat Attack Vector
The exploit presents a two-pronged threat. First, attackers can extract plaintext passwords from the unencrypted memory dumps using readily available tools like Mimikatz. Second, researchers have developed a proof-of-concept tool called “EDR-Freeze” that leverages the same WerFaultSecure vulnerability to temporarily suspend antimalware and endpoint detection and response (EDR) processes for 1-3 seconds without requiring vulnerable driver installations.
EDR-Freeze operates in user mode and works on the latest Windows versions, and when called via script, can repeatedly freeze security software, creating windows of opportunity for malicious activity to proceed undetected.
Real-World Implications
The simplicity of the attack makes it particularly concerning. An attacker with initial access to a system could repeatedly invoke the exploit script to keep security software in a suspended state while extracting credentials and performing unauthorized operations. The attack doesn’t require kernel-level access or the traditional “Bring Your Own Vulnerable Driver” (BYOVD) technique commonly used to bypass security protections.
While Microsoft Defender has been reported to detect some exploitation attempts, the vulnerability affects third-party security solutions that rely on standard Windows protection mechanisms.
Microsoft’s Response
As of now, there is currently no patch available from Microsoft to address this vulnerability. The company has not provided a timeline for when a security update will be released to fix the WerFaultSecure.exe exploit.
This disclosure comes at a particularly sensitive time, as Windows 11 24H2 was marketed as Microsoft’s most secure Windows release to date. The vulnerability undermines fundamental security assumptions about protected processes and highlights potential gaps in how legacy system components interact with modern security architectures.
Security experts recommend that organizations closely monitor for suspicious WerFaultSecure.exe activity and implement additional layers of credential protection until Microsoft releases an official patch. The vulnerability serves as a stark reminder that even highly privileged system components can become attack vectors when their trust relationships are exploited.
