CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 9 min read

CVE-2024-30078: Windows Wi-Fi Driver Over-The-Air RCE

No authentication, no user interaction, no click, just proximity. How a flaw in the Windows Wi-Fi driver enabled kernel-level code execution on every unpatched Windows device on the same wireless network

8.8
CVSS Score
None
Authentication required
None
User interaction required
Adjacent
Attack vector (same Wi-Fi network)

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2024-30078 is a remote code execution vulnerability in the Windows Wi-Fi kernel driver stack, patched in June 2024. The flaw allows an unauthenticated attacker sharing the same Wi-Fi network, or controlling a rogue access point that the target connects to, to send a single crafted 802.11 wireless frame and achieve kernel-mode code execution on the target device with no user interaction whatsoever. Every Wi-Fi-capable Windows device in any shared wireless environment is a potential target. The rogue access point variant extends this to any public location where Windows devices auto-connect to networks.

Technical Overview: Kernel-Mode Wireless Frame Processing

The Windows Wi-Fi driver stack processes 802.11 wireless frames at kernel level before any user-space authentication occurs. Certain frame types, management frames and specific data frame subtypes, are parsed by the kernel driver as part of the fundamental wireless protocol operation, regardless of whether the device has associated with the network or authenticated to it.

CVE-2024-30078 involves improper input validation (consistent with a heap-based buffer overflow) in the parsing of a specific crafted wireless frame type. When the vulnerable Windows device receives this frame, passively, without any action from the user, the Wi-Fi kernel driver processes it and the memory corruption triggers controlled code execution.

Because the vulnerable code executes in kernel mode (Ring 0), successful exploitation yields the highest privilege level available to software, equivalent to full OS control, bypassing all user-space security boundaries.

The Rogue Access Point Threat

The CVSS Adjacent Network attack vector (AV:A) requires the attacker to be on the same Wi-Fi broadcast domain as the target. This is a lower barrier than it initially appears:

Public Wi-Fi: Any coffee shop, airport, hotel, or conference has multiple users sharing the same wireless broadcast domain. A malicious attendee at a security conference, business meeting, or trade show can target every unpatched Windows device on the network.

Rogue access points (evil twin): An attacker broadcasts a Wi-Fi SSID matching a commonly connected network name (home, corporate, hotel chains). Windows devices configured for auto-connect join the rogue AP without user action. The attacker now has adjacent network access to all connected devices and can immediately trigger CVE-2024-30078.

Pre-association frames: Some 802.11 management frame types are processed before a device formally associates with an access point, meaning the attacker may not even need the device to fully connect to deliver the malicious frame.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Affected Scope

CVE-2024-30078 affects all supported Windows versions with a Wi-Fi adapter:

  • Windows 10 (all supported versions and editions)
  • Windows 11 (all editions)
  • Windows Server 2012 R2, 2016, 2019, 2022

The practical affected population is every Windows laptop, tablet, and desktop with wireless networking capability produced in the last decade. Server versions are less commonly at risk due to Wi-Fi adapters being uncommon in rack servers, but Windows Server with a Wi-Fi adapter is technically in scope.

1

Attacker Achieves Adjacent Network Position

Attacker joins the same Wi-Fi network as the target (public Wi-Fi, corporate guest network) or deploys a rogue access point broadcasting a known SSID to lure auto-connecting Windows devices.

2

Crafted 802.11 Frame Transmitted

Attacker sends a specially crafted wireless management or data frame targeting the victim's device MAC address or broadcast address using a raw packet injection capable wireless adapter.

3

Kernel Driver Processes Malicious Frame

Windows Wi-Fi kernel driver receives the frame and processes it through the vulnerable parsing code path without any authentication check, the user has no indication anything is happening.

4

Heap Buffer Overflow Triggers Code Execution

Memory corruption in the kernel driver heap leads to controlled code execution at Ring 0 (kernel mode) with SYSTEM-equivalent privileges.

5

Full System Compromise

Kernel-level access enables disabling security products, installing persistent kernel rootkits, dumping all system credentials, and establishing covert C2, all from a wireless frame sent in a coffee shop.

Detection Challenges

CVE-2024-30078 is particularly difficult to detect because exploitation occurs at the network driver layer, below most security monitoring:

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Remediation

Steps in order of priority:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2024-30078 represents the class of vulnerability that security teams struggle most to convey to executives: an attack that requires nothing from the victim beyond having Wi-Fi enabled, achieves the highest possible privilege level, and can be delivered silently in any shared wireless environment. The rogue access point variant removes even the requirement for the attacker to be on the same corporate network. Every laptop fleet must treat the June 2024 patch as an emergency update. The absence of reported wild exploitation at disclosure does not mean this capability is not being developed in non-public environments.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

Does CVE-2024-30078 affect wired (Ethernet) connections?

No. CVE-2024-30078 is specific to the Windows Wi-Fi (wireless LAN) driver stack. Devices connected only via Ethernet are not affected by this vulnerability. However, most laptops have Wi-Fi enabled by default even when using a wired connection, patching is still required.

Was CVE-2024-30078 exploited in the wild?

Microsoft did not list CVE-2024-30078 as exploited in the wild at the time of June 2024 disclosure. However, the zero-interaction requirement, over-the-air attack vector, and kernel-level execution make it a high-priority target for nation-state actors, particularly for attacks against mobile workers in public spaces.

How does the rogue access point attack work?

Windows devices configured to auto-connect to known Wi-Fi SSIDs can be lured onto an attacker's rogue access point broadcasting the same SSID name (evil twin attack). Once the device connects, the attacker is on the same broadcast domain as the victim and can send the malicious wireless frame to trigger CVE-2024-30078, without the victim taking any action beyond having Wi-Fi enabled.

Does a VPN protect users from CVE-2024-30078?

No. VPN encryption operates at a higher network layer than the Windows Wi-Fi kernel driver stack. The vulnerability is in the code that processes 802.11 wireless frames at the hardware driver layer, which runs before any VPN tunnel is established. Even if a user's VPN is active and encrypting all application traffic, the underlying Wi-Fi driver still processes incoming wireless frames from the network. A VPN does not prevent CVE-2024-30078 from being triggered; only patching the Wi-Fi driver or disabling Wi-Fi provides protection.

Why is kernel-level code execution more dangerous than user-mode code execution?

Kernel-mode (Ring 0) code execution gives an attacker the same privilege level as the operating system itself, above all user-space security boundaries. From kernel mode, an attacker can: disable or unload security software (antivirus, EDR agents) running in user space; install a rootkit that persists in kernel memory and is invisible to user-mode analysis tools; dump all system credentials from LSASS memory with no access control checks; and modify the OS kernel itself. Most endpoint security products rely on kernel-mode hooks and callbacks for detection; code execution at the same level can directly bypass or disable those hooks, making kernel exploits especially difficult to detect and respond to.

Which specific Windows builds are vulnerable to CVE-2024-30078?

All supported Windows 10 (21H2, 22H2, and all editions), all Windows 11 versions, and Windows Server 2012 R2, 2016, 2019, and 2022 are vulnerable when running a Wi-Fi adapter with a build prior to the June 2024 cumulative update. The patch is delivered as part of the standard June 2024 Patch Tuesday cumulative update. Verify patch status by running winver and confirming the build number matches or exceeds June 2024 cumulative update numbers for your version: for Windows 11 23H2 this is OS Build 22631.3737 or higher.

Sources & references

  1. Microsoft Security Update Guide, CVE-2024-30078
  2. Microsoft June 2024 Patch Tuesday Release Notes

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.