Apparently I am getting one more #CVE this year, and this one is kind of cool :)
Earlier this year, I found a critical vulnerability in the Microsoft Update Catalog (https://catalog.update.microsoft.com ). This is the site where you go to download individual update packages for Microsoft products.
I #redteam for #microsoft and I pulled off that exploit as part of my normal work. Previously Microsoft hasn't issued CVE's for service vulnerabilities, but now as part of the expanded Secure Future Initiative, critical vulnerabilities in Microsoft service get CVE's. I think 9.3/8.4 is the highest CVSS I've ever gotten.
This is a "no action" CVE, because there's nothing for you do to make yourself safer. Microsoft already patched the service.
I don't know if I can say more about the exploit than what's in the official disclosure. You can read that here:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49147