CVE-2024-30078: Windows Wi-Fi Driver Over-The-Air RCE
No authentication, no user interaction, no click — just proximity. How a flaw in the Windows Wi-Fi driver enabled kernel-level code execution on every unpatched Windows device on the same wireless network
CVE-2024-30078 is a remote code execution vulnerability in the Windows Wi-Fi kernel driver stack, patched in June 2024. The flaw allows an unauthenticated attacker sharing the same Wi-Fi network — or controlling a rogue access point that the target connects to — to send a single crafted 802.11 wireless frame and achieve kernel-mode code execution on the target device with no user interaction whatsoever. Every Wi-Fi-capable Windows device in any shared wireless environment is a potential target. The rogue access point variant extends this to any public location where Windows devices auto-connect to networks.
Technical Overview: Kernel-Mode Wireless Frame Processing
The Windows Wi-Fi driver stack processes 802.11 wireless frames at kernel level before any user-space authentication occurs. Certain frame types — management frames and specific data frame subtypes — are parsed by the kernel driver as part of the fundamental wireless protocol operation, regardless of whether the device has associated with the network or authenticated to it.
CVE-2024-30078 involves improper input validation (consistent with a heap-based buffer overflow) in the parsing of a specific crafted wireless frame type. When the vulnerable Windows device receives this frame — passively, without any action from the user — the Wi-Fi kernel driver processes it and the memory corruption triggers controlled code execution.
Because the vulnerable code executes in kernel mode (Ring 0), successful exploitation yields the highest privilege level available to software — equivalent to full OS control, bypassing all user-space security boundaries.
The Rogue Access Point Threat
The CVSS Adjacent Network attack vector (AV:A) requires the attacker to be on the same Wi-Fi broadcast domain as the target. This is a lower barrier than it initially appears:
**Public Wi-Fi**: Any coffee shop, airport, hotel, or conference has multiple users sharing the same wireless broadcast domain. A malicious attendee at a security conference, business meeting, or trade show can target every unpatched Windows device on the network.
**Rogue access points (evil twin)**: An attacker broadcasts a Wi-Fi SSID matching a commonly connected network name (home, corporate, hotel chains). Windows devices configured for auto-connect join the rogue AP without user action. The attacker now has adjacent network access to all connected devices and can immediately trigger CVE-2024-30078.
**Pre-association frames**: Some 802.11 management frame types are processed before a device formally associates with an access point — meaning the attacker may not even need the device to fully connect to deliver the malicious frame.
Affected Scope
CVE-2024-30078 affects all supported Windows versions with a Wi-Fi adapter:
- Windows 10 (all supported versions and editions) - Windows 11 (all editions) - Windows Server 2012 R2, 2016, 2019, 2022
The practical affected population is every Windows laptop, tablet, and desktop with wireless networking capability produced in the last decade. Server versions are less commonly at risk due to Wi-Fi adapters being uncommon in rack servers, but Windows Server with a Wi-Fi adapter is technically in scope.
Attacker Achieves Adjacent Network Position
Attacker joins the same Wi-Fi network as the target (public Wi-Fi, corporate guest network) or deploys a rogue access point broadcasting a known SSID to lure auto-connecting Windows devices.
Crafted 802.11 Frame Transmitted
Attacker sends a specially crafted wireless management or data frame targeting the victim's device MAC address or broadcast address using a raw packet injection capable wireless adapter.
Kernel Driver Processes Malicious Frame
Windows Wi-Fi kernel driver receives the frame and processes it through the vulnerable parsing code path without any authentication check — the user has no indication anything is happening.
Heap Buffer Overflow Triggers Code Execution
Memory corruption in the kernel driver heap leads to controlled code execution at Ring 0 (kernel mode) with SYSTEM-equivalent privileges.
Full System Compromise
Kernel-level access enables disabling security products, installing persistent kernel rootkits, dumping all system credentials, and establishing covert C2 — all from a wireless frame sent in a coffee shop.
Detection Challenges
CVE-2024-30078 is particularly difficult to detect because exploitation occurs at the network driver layer, below most security monitoring:
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| Kernel crash dumps (BSOD) in nwifi.sys or related wireless stack components | Windows crash dump / Event Log | Failed or unstable exploitation attempts may cause BSODs before a reliable exploit is achieved; any nwifi.sys crash should be investigated |
| Unexpected SYSTEM-context process creation without a clear parent process chain | EDR / Sysmon process telemetry | Kernel exploits often spawn processes directly under SYSTEM with no conventional parent; look for orphaned SYSTEM processes immediately following wireless activity |
| Anomalous 802.11 management frames in wireless packet captures | WLAN monitoring / wireless IDS | Requires dedicated wireless monitoring infrastructure; malformed or non-standard management frames targeting specific MAC addresses may appear in promiscuous mode captures |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
Remediation
Steps in order of priority:
Apply June 2024 Patch Tuesday updates immediately
The Wi-Fi driver patch is delivered via the standard Windows Update cumulative update for June 2024. This is the only complete fix. Prioritize laptops and other mobile devices that regularly connect to public or untrusted Wi-Fi networks — they face the highest realistic risk profile.
Disable Wi-Fi auto-connect to open or unmanaged networks
Configure Windows Wi-Fi network profiles to require manual connection to open networks. Via Group Policy: Computer Configuration → Windows Settings → Wireless Network (IEEE 802.11) Policies. Prevent auto-connection to networks not in the managed profile list. This eliminates the rogue access point attack vector.
Restrict Wi-Fi connections to corporate-managed SSIDs
Deploy MDM or Group Policy to restrict Wi-Fi connections to approved SSIDs only. Users connecting to unknown public Wi-Fi or hotspots should be required to use VPN, which adds a security layer even over untrusted wireless networks.
Disable Wi-Fi on servers where wireless is not required
Most Windows Server deployments have no legitimate need for Wi-Fi. Disable wireless adapters via Device Manager or Group Policy on all server infrastructure where Wi-Fi is not operationally required.
Deploy Wi-Fi intrusion detection for high-security environments
For environments with elevated threat models, deploy wireless intrusion detection systems (WIDS) that can identify rogue access points, unusual management frame patterns, and deauthentication attacks against monitored SSIDs.
The bottom line
CVE-2024-30078 represents the class of vulnerability that security teams struggle most to convey to executives: an attack that requires nothing from the victim beyond having Wi-Fi enabled, achieves the highest possible privilege level, and can be delivered silently in any shared wireless environment. The rogue access point variant removes even the requirement for the attacker to be on the same corporate network. Every laptop fleet must treat the June 2024 patch as an emergency update. The absence of reported wild exploitation at disclosure does not mean this capability is not being developed in non-public environments.
Frequently asked questions
Does CVE-2024-30078 affect wired (Ethernet) connections?
No. CVE-2024-30078 is specific to the Windows Wi-Fi (wireless LAN) driver stack. Devices connected only via Ethernet are not affected by this vulnerability. However, most laptops have Wi-Fi enabled by default even when using a wired connection — patching is still required.
Was CVE-2024-30078 exploited in the wild?
Microsoft did not list CVE-2024-30078 as exploited in the wild at the time of June 2024 disclosure. However, the zero-interaction requirement, over-the-air attack vector, and kernel-level execution make it a high-priority target for nation-state actors, particularly for attacks against mobile workers in public spaces.
How does the rogue access point attack work?
Windows devices configured to auto-connect to known Wi-Fi SSIDs can be lured onto an attacker's rogue access point broadcasting the same SSID name (evil twin attack). Once the device connects, the attacker is on the same broadcast domain as the victim and can send the malicious wireless frame to trigger CVE-2024-30078 — without the victim taking any action beyond having Wi-Fi enabled.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.