CVE-2024-37085 in Microsoft Product: Confirmed Exploitation in GPO-Based Ransomware Attacks

📅 March 23, 2026 🔴 Exploit Risk: 0.499 📊 Intelligence Score: 100/100 📰 2 sources synthesized

TL;DR — Read this first

CVE-2024-37085 is a vulnerability in an unspecified Microsoft product, confirmed by CISA to be actively exploited in the wild.
Exploitation is linked to ransomware campaigns that leverage Group Policy Objects (GPOs) for lateral movement and execution. The vulnerability has a high EPSS score of 0.74835.
Immediate investigation is required to audit GPO security and monitor for signs of compromise. Microsoft reports that Defender provides predictive shielding against this attack vector.

Intelligence Metadata

First Reported Bymicrosoft.com

Outbreak Velocity0 minutes spread to 2 unique domains

Consensus2 sources across 2 unique domains

CVSS ScoreNot available

EPSS Score0.74835 (98.2nd percentile)

CISA KEV StatusConfirmed

Exploit Risk Score0.4993

Race LabelPERSISTENT THREAT

Technical Analysis

CONFIRMED exploitation of CVE-2024-37085 is associated with ransomware campaigns that leverage Group Policy Objects (GPOs) for lateral movement and payload execution. While specific details of the vulnerability class (e.g., RCE, LPE) are not available, its inclusion in the CISA KEV catalog indicates a reliable, weaponized exploit exists. The attack chain likely involves an initial compromise, followed by exploitation of this vulnerability to gain privileges necessary to manipulate GPOs. By modifying or creating malicious GPOs, attackers can deploy ransomware at scale across a domain, scheduling tasks or executing scripts on all connected endpoints simultaneously. The effectiveness of this technique lies in its ability to use legitimate administrative infrastructure for malicious purposes, often bypassing traditional endpoint detection.

Affected Systems

Vendor: Microsoft

Affected Versions:

Unspecified Microsoft Product

Exposure: Requires access to modify Group Policy Objects, suggesting post-authentication exploitation within an enterprise Active Directory network.

Blast Radius: High within an Active Directory environment, as malicious GPO manipulation can affect all domain-joined computers.

Intelligence Context

CVE-2024-37085 presents a significant threat despite the absence of a public CVSS score. Its high EPSS score of 0.74835 indicates a nearly 75% probability of exploitation activity within the next 30 days. This prediction is validated by its CONFIRMED status on the CISA KEV catalog, which mandates action for federal agencies and serves as a critical alert for all organizations. The 'PERSISTENT THREAT' race label suggests that this is not a new or fleeting campaign, but an ongoing risk from established threat actors. The initial report from the vendor (Microsoft) and rapid signal spread underscore the vulnerability's importance. Defenders should prioritize this threat based on the confirmed real-world exploitation, regardless of the missing CVSS metric.

Remediation & Defense

Investigate and Monitor. Given the confirmed exploitation, immediately audit GPO security and monitor for signs of compromise. Deploy detection rules for GPO manipulation.

Patch Status: Not available

Patch Version: Not available

Workarounds:

Microsoft reports that predictive shielding in Microsoft Defender for Endpoint can prevent the associated GPO-based ransomware attacks.

Detection Hints:

Monitor for unusual or unauthorized modifications to Group Policy Objects (GPOs).
Audit logs for GPO creation/modification events (e.g., Event ID 5136, 5137, 5141 in Windows Security Auditing).

Source Timeline

microsoft.com — First reporter
cisa.gov — KEV confirmation
nvd.nist.gov — Official CVE record

CVE-2024-37085 microsoft ransomware kev gpo