Cybersecurity Briefing — August 14, 2024

Executive briefing: CISA expanded the Known Exploited Vulnerabilities (KEV) catalog on August 14, 2024 to include Microsoft CVE-2024-38112 and CVE-2024-38080, confirming in-the-wild exploitation and setting a September 4 remediation deadline for U.S. civilian agencies. The chaining potential between the Windows MSHTML remote code execution bug and the kernel privilege escalation means regulated enterprises must accelerate August Patch Tuesday rollouts and validate monitoring coverage.

Key industry signals

• Active exploitation. CISA’s alert states both CVEs are already leveraged by adversaries, activating Binding Operational Directive 22-01 timelines for patching federal networks by September 4, 2024.
• Patch Tuesday follow-on. Microsoft’s August 2024 security release documents show the MSHTML flaw is triggered through crafted Internet Shortcut files, while CVE-2024-38080 allows local privilege escalation—an attractive post-exploitation chain.
• Third-party exposure. Managed service providers and ISVs that embed WebView or host Windows terminal servers inherit the KEV risk and must pass remediation attestations to downstream customers.

Control alignment

• NIST CSF 2.0 PR.IP-12. Enforce rapid vulnerability remediation workflows that prioritise KEV-listed flaws across workstation, VDI, and server fleets.
• CISA Cybersecurity Performance Goal (CPG) 5.A. Maintain verified, tested backups and patch rollback plans for Windows platforms patched on accelerated schedules.
• CIS Controls v8 7.7. Document automated patch verification and exception handling for MSHTML-dependent applications to preserve compliance with exception tracking requirements.

Detection and response priorities

• Hunt for anomalous .url shortcut executions spawning mshta.exe or rundll32.exe, especially when launched from email or Teams cache paths associated with CVE-2024-38112 tradecraft.
• Correlate Microsoft Defender for Endpoint telemetry for alerts such as Suspicious Shortcut File Execution and new kernel-mode driver loads that follow user logon spikes.
• Review privileged account activity on Remote Desktop Session Hosts and VDI brokers for signs of post-exploitation privilege escalation tied to CVE-2024-38080.

Enablement moves

• Stage canary systems with August cumulative updates, execute smoke tests for line-of-business apps, and then greenlight enterprise-wide deployment within 48 hours.
• Brief disclosure committees and risk owners on the KEV deadline so governance records show alignment with BOD 22-01 expectations.
• Require MSPs and critical software suppliers to confirm installation of the August cumulative updates and provide telemetry sharing for shortcut abuse attempts.

Sources

• CISA — CISA Adds Two Known Exploited Vulnerabilities to Catalog (August 14, 2024)
• Microsoft Security Update Guide: CVE-2024-38112 (Published August 13, 2024)
• Microsoft Security Update Guide: CVE-2024-38080 (Published August 13, 2024)

Zeph Tech orchestrates accelerated Windows hardening, shortcut abuse monitoring, and supplier attestation workflows so clients stay ahead of KEV enforcement windows.