CVE-2024-23773 is a vulnerability discovered in the Quest KACE Agent for Windows versions 12.0.38 and 13.1.23.0, specifically within the KSchedulerSvc.exe service component. The flaw allows a local attacker with limited privileges to perform arbitrary file deletion on the affected system. The vulnerability arises due to improper validation or restriction of file paths (CWE-22), enabling the attacker to specify and delete any file on the system. Because the KSchedulerSvc.exe runs with NT Authority\SYSTEM privileges, successful exploitation results in deletion of files with the highest system privileges, potentially impacting critical system files, application data, or security configurations. The attack vector requires local access and low privileges but no user interaction, making it a significant threat in environments where attackers can gain foothold with limited rights. The vulnerability has a CVSS v3.1 score of 7.8, indicating high severity due to its impact on confidentiality, integrity, and availability. No known public exploits or patches have been reported as of the publication date. This vulnerability could be leveraged for privilege escalation, denial of service, or to facilitate further attacks by removing security controls or critical files.

The impact of CVE-2024-23773 is substantial for organizations using Quest KACE Agent on Windows systems. Since the vulnerability allows deletion of any file with SYSTEM privileges, attackers can disrupt system operations by deleting critical OS files, security logs, or application data, leading to denial of service or system instability. The ability to delete files with high privileges also enables attackers to remove forensic evidence or security configurations, complicating incident response and recovery efforts. In managed IT environments where Quest KACE is used for endpoint management and automation, exploitation could undermine the integrity and availability of managed systems, potentially affecting large numbers of endpoints. This could result in operational downtime, increased remediation costs, and exposure to further attacks. The requirement for local access limits remote exploitation but does not eliminate risk, especially in environments with weak access controls or where attackers have already compromised user accounts.

To mitigate CVE-2024-23773, organizations should: 1) Immediately identify and inventory all systems running affected versions of Quest KACE Agent (12.0.38 and 13.1.23.0). 2) Monitor for updates or patches from Quest and apply them promptly once available. 3) Restrict local access to systems running the KACE Agent to trusted users only, enforcing the principle of least privilege. 4) Implement strict access controls and auditing on critical files and directories to detect unauthorized deletions. 5) Use endpoint detection and response (EDR) tools to monitor for suspicious activity related to file deletions or service misuse. 6) Harden the Windows environment by disabling unnecessary services and limiting service account privileges where possible. 7) Educate IT staff and users about the risks of local privilege escalation and enforce strong authentication and session management to reduce the chance of attacker foothold. 8) Prepare incident response plans that include recovery from arbitrary file deletion scenarios to minimize downtime.