CVE-2024-29187

FAQ

According to the CVSS metric, user interaction is required (UI:R) and privileges required  is low (PR:L). What does that mean for this vulnerability?

An authorized attacker must send the user a malicious file and convince the user to open it.

Why is this GitHub CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Wix Toolset software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

What is the mitigation strategy for Microsoft developer toolkits that are affected by this vulnerability?

Microsoft is committed to ensuring the security and integrity of our products. We are pleased to announce that an update in reference to the WiX vulnerability (CVE-2024-29187), which affect various kits, has been released. This vulnerability, which allows for binary hijacking when the installer is run as SYSTEM, was publicly disclosed on GitHub in March 2024.

Following are the mitigation steps we have taken for each toolkit:

Windows Assessment and Deployment Kit (Windows ADK) and Windows PE add-on

Update: As of May 29, 2025, mitigations are also available for Windows Assessment and Deployment Kit (Windows ADK) and Windows PE add-on.

The WiX vulnerability has been addressed in the following ADK versions:

• ADK and ADK WinPE Add-on version 10.1.26100.2454 and later
• ADK and ADK WinPE Add-on version 10.1.25398.1 (Republished in January 2025)
• ADK and ADK WinPE Add-on for Windows 11, version 22H2 (Republished in May 2025)
• ADK and ADK WinPE Add-on for Windows Server 2022 (Republished in May 2025)
• ADK and ADK WinPE Add-on for Windows 10, version 2004 (Republished in May 2025)
• ADK and ADK WinPE Add-on for Windows 10, version 1809 (Republished in May 2025)
• ADK for Windows 10, version 1607 (Republished in May 2025)

Because older ADK releases are susceptible to the WiX vulnerability, we recommend that customers always use the latest released ADK. If one of the ADK versions (prior to version 10.1.26100.2454) from the preceding list must be used, make sure to install it with the new links provided in (https://learn.microsoft.com/en-us/windows-hardware/get-started/adk-install#other-adk-downloads)[Download and install the Windows ADK - Other ADK downloads]. As a result, other older ADK versions will no longer be distributed.

See the Summary Table at the end of this FAQ for the ADK and ADK WinPE Add-on that is applicable to your system.

Windows Driver Kit (WDK)

The WiX vulnerability has been addressed in WDK version 10.0.26100.1591 and later. The latest WDK supports driver development for Windows 10, Windows Server 2016, and all later client and server versions.

Because older WDK releases are susceptible to the WiX vulnerability and the latest kits include the most secure and updated tools and compilers, we recommend that customers always use the latest released WDK. As a result, older WDK versions will no longer be distributed. See https://learn.microsoft.com/windows-hardware/drivers/download-the-wdk for more information.

Software Development Kit (SDK)

The WiX vulnerability has been addressed in SDK version 10.0.26100.1742 and later. The latest SDK for Windows 11 can be used to build Universal Windows Platform (UWP) and Win32 apps for Windows 11, version 24H2, and earlier Windows releases.

Since older SDK versions are affected by the WiX vulnerability and the latest releases offer the most secure and updated tools, we recommend always using the latest SDK. See the https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/ for more information.

Hardware Lab Kit (HLK)

We have serviced and released older versions of HLK with fixes for the WiX vulnerability. Customers are encouraged to update to either the latest HLK version or a matching serviced version when testing drivers for older operating systems. See https://learn.microsoft.com/windows-hardware/test/hlk/ for more information.

Mitigations for additional kits are in process.

Summary Table

The following table provides a breakdown of Windows version and the recommended kits to use.