CVE-2024-3566

9.8 CRITICAL

Published: April 10, 2024 Modified: November 18, 2025

Description

A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/

Source: cret@cert.org

Exploit Third Party Advisory

https://kb.cert.org/vuls/id/123335

Source: cret@cert.org

Third Party Advisory

https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way

Source: cret@cert.org

Technical Description

https://www.cve.org/CVERecord?id=CVE-2024-1874

Source: cret@cert.org

Not Applicable

https://www.cve.org/CVERecord?id=CVE-2024-22423

Source: cret@cert.org

Not Applicable

https://www.cve.org/CVERecord?id=CVE-2024-24576

Source: cret@cert.org

Not Applicable

https://www.kb.cert.org/vuls/id/123335

Source: cret@cert.org

Not Applicable

https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/