← Back to Cyber Intelligence News
Live Threat Intelligence API — Query this CVE and all KEV alerts in real-time
cyber.mcp.brunosan.de
Cyber Threat Intelligence RANSOMWARE 🔴 1×KEV

CVE-2024-37085 in Microsoft Products: Actively Exploited in GPO-Based Ransomware Attacks (KEV Confirmed)

📅 March 24, 2026 🔴 Exploit Risk: 0.499 📊 Intelligence Score: 100/100 📰 2 sources synthesized
TL;DR — Read this first
Intelligence Metadata
First Reported Bymicrosoft.com
Outbreak Velocity0 minutes spread to 2 unique domains
Consensus2 sources across 2 unique domains
CVSS ScoreNot available
EPSS Score0.74835 (92.8th percentile)
CISA KEV StatusConfirmed
Exploit Risk Score0.4993
Race LabelPERSISTENT THREAT

Technical Analysis

CONFIRMED reports from Microsoft indicate that CVE-2024-37085 is being exploited in ransomware attacks. The attack chain involves the manipulation of Group Policy Objects (GPOs) within a Microsoft Active Directory environment. While the specific vulnerability class (e.g., RCE, LPE) has not been disclosed, the vector implies that attackers have already gained initial access and possess privileges sufficient to edit GPOs. By modifying GPOs, threat actors can achieve widespread and rapid deployment of ransomware payloads across all domain-joined systems, a high-impact lateral movement and execution technique.

Evidence tier is mixed. Exploitation is CONFIRMED by its addition to the CISA KEV catalog on 2024-07-30. The GPO-based attack vector is REPORTED by Microsoft. However, there is conflicting intelligence from a secondary source (cert.at) which associates active exploitation with a vulnerability in VMware ESXi. At present, the primary, confirmed threat is CVE-2024-37085 affecting Microsoft environments. The VMware report may refer to a separate, concurrent campaign or contain erroneous information.

Affected Systems

Vendor: Microsoft
Affected Versions:
  • Microsoft Windows (Inferred from GPO-based attack vector)
Exposure: Requires access to an environment with Group Policy Objects (GPOs), typically internal corporate networks with Active Directory. This is not an initial ingress point.
Blast Radius: High within enterprise environments utilizing Microsoft Active Directory. Successful GPO manipulation allows for rapid, domain-wide ransomware deployment.

Intelligence Context

The addition of CVE-2024-37085 to the CISA KEV catalog mandates immediate attention from federal agencies and critical infrastructure. The high EPSS score (92.8th percentile) quantitatively supports CISA's assessment, indicating a high probability of exploitation activity. The absence of a CVSS score is unusual for a KEV entry and suggests the listing was driven purely by observed-in-the-wild attacks, prioritizing real-world risk over theoretical severity. Defenders should treat this as a confirmed, active threat. The 'PERSISTENT THREAT' label indicates the underlying attacker TTPs—specifically GPO abuse for ransomware deployment—are well-established, even if this CVE is the novel component enabling it.

Remediation & Defense

Investigate and Monitor. Prioritize hunting for anomalous GPO modifications within Active Directory environments. Ensure endpoint protection, such as Microsoft Defender, is enabled and configured to block ransomware behaviors.
Patch Status: Not available
Patch Version: Not available
Workarounds:
  • Microsoft reports that predictive shielding in Microsoft Defender for Endpoint can prevent the associated ransomware execution. This is a compensating control, not a direct patch for the vulnerability.
Detection Hints:
  • Monitor for unauthorized or anomalous modifications to Group Policy Objects (GPOs), particularly changes to logon scripts, scheduled tasks, or software installation policies.
  • Audit Windows Event Logs (Security Log Event ID 5136) for GPO changes and correlate with change management records.

Source Timeline

CVE-2024-37085 microsoft ransomware kev gpo active-directory