CVE-2024-23774 is a high-severity vulnerability identified in the Quest KACE Agent for Windows, versions 12.0.38 and 13.1.23.0. The root cause is an unquoted search path issue in two key service executables: KSchedulerSvc.exe and AMPTools.exe. In Windows, unquoted service paths containing spaces can be exploited by placing a malicious executable in a directory that is searched before the legitimate executable, causing the system to run the attacker's code with elevated privileges. Here, local attackers with limited privileges can leverage this to execute arbitrary code with NT Authority\SYSTEM privileges, effectively gaining full control over the affected system. The vulnerability requires local access and does not need user interaction, making it a potent privilege escalation vector. The CVSS v3.1 score of 7.8 reflects the ease of exploitation combined with the high impact on confidentiality, integrity, and availability. Although no public exploits are known yet, the vulnerability is critical for environments relying on Quest KACE Agent for endpoint management and automation. The CWE-22 classification indicates a path traversal or improper path handling issue. The lack of published patches at the time of disclosure necessitates immediate attention to alternative mitigations.

Successful exploitation of CVE-2024-23774 allows attackers with limited local privileges to escalate to SYSTEM-level access, granting full control over the affected Windows system. This can lead to unauthorized data access, modification, or destruction, installation of persistent malware, disruption of IT management processes, and lateral movement within enterprise networks. Given Quest KACE Agent's role in managing and automating endpoint tasks, compromise could undermine organizational security posture, enabling attackers to disable security controls, exfiltrate sensitive information, or disrupt critical IT operations. The impact extends to confidentiality, integrity, and availability of affected systems, posing significant risks to organizations that rely on this agent for endpoint management. The vulnerability's local attack vector limits remote exploitation but does not diminish its severity in environments where multiple users have local access or where attackers have already gained initial footholds.

Organizations should immediately audit their environments to identify systems running vulnerable versions of Quest KACE Agent (12.0.38 and 13.1.23.0). In the absence of official patches, apply the following mitigations: (1) Manually correct the service executable paths by ensuring all service paths are properly quoted to prevent path hijacking. This can be done by inspecting the Windows service configuration using tools like 'sc qc' and updating paths with 'sc config' or registry edits. (2) Restrict write permissions on directories in the service executable paths to prevent unprivileged users from placing malicious executables. (3) Limit local user privileges and enforce the principle of least privilege to reduce the risk of local exploitation. (4) Monitor systems for unusual activity indicative of privilege escalation attempts, such as unexpected executable launches or service restarts. (5) Stay alert for vendor patches or updates and apply them promptly once available. (6) Consider isolating or segmenting systems running the affected agent to limit potential lateral movement. These targeted actions go beyond generic advice and address the specific exploitation vector of unquoted service paths.