A recently released proof-of-concept (PoC) exploit has drawn attention to a critical zero-click remote code execution (RCE) vulnerability affecting Windows Server. This flaw, identified as CVE-2024-38077, impacts a wide range of Windows Server versions, from the year 2000 to the latest preview for 2025. The vulnerability resides within the Windows Remote Desktop Licensing Service, which is essential for managing and issuing licenses for remote desktop access in many business environments.
The vulnerability, informally referred to as “MadLicense,” is particularly concerning due to its ability to be exploited without any user interaction. Unlike many RCE vulnerabilities that necessitate some form of user action, CVE-2024-38077 allows attackers to execute arbitrary code on vulnerable systems effortlessly. This characteristic heightens the risk, especially given the extensive deployment of the Remote Desktop Licensing Service across various organizations.
Exploit Released – MadLicense
At the core of this vulnerability is a heap overflow issue within the
The exploit functions by manipulating the licensing service to load a remote DLL, thereby allowing attackers to execute arbitrary shellcode within the service’s process. While the PoC is presented in pseudocode and intentionally obfuscated to deter misuse, it underscores the gravity of the vulnerability and the potential for exploitation.
With over 170,000 Remote Desktop Licensing Services exposed to the public internet, the implications of this vulnerability are significant. Its zero-click nature exacerbates the threat, as it can be exploited without any user interaction, raising the likelihood of widespread attacks.
Microsoft has been notified about the exploitability of this vulnerability but initially categorized it as “exploitation less likely.” Nevertheless, security researchers stress the importance of promptly patching affected systems to avert potential exploitation. They emphasize, “We demonstrate how a single vulnerability was exploited to bypass all mitigations and achieve a pre-authentication remote code execution (RCE) attack on Windows Server 2025, which is considered the most secure Windows Server.”
To mitigate risks, organizations are encouraged to apply Microsoft’s latest security updates. Additionally, network administrators should contemplate implementing supplementary security measures, such as network segmentation and stringent access controls, to minimize the attack surface.
The researchers involved in this discovery have adhered to responsible disclosure practices, sharing details about the vulnerability and its exploitability with Microsoft. Their goal is to raise awareness regarding the risks associated with this vulnerability and to prompt swift action to secure affected systems.
While there are currently no known exploits in circulation for the CVE-2024-38077 vulnerability, Microsoft has released a patch. It is imperative for users to apply this update to mitigate potential risks effectively.
