Windows Wi-Fi Driver Remote Code Execution via Adjacent Network
CVE-2024-30078 is a high-severity (CVSS 8.8) remote code execution vulnerability in the Windows Wi-Fi Driver. An unauthenticated attacker within Wi-Fi radio range of a target can execute arbitrary code on the victim's device by sending a specially crafted network packet. No user interaction is required. The attack vector is 'Adjacent Network' (AV:A), meaning the attacker must be on the same network segment or within Wi-Fi broadcast range. All supported Windows versions are affected (Windows 10, 11, Server 2008–2022). This vulnerability is particularly relevant for SMB environments where employees work in shared offices, co-working spaces, hotels, or coffee shops — any shared Wi-Fi environment with other devices in range becomes a potential attack surface. Despite no confirmed in-the-wild exploitation at time of disclosure, the lack of user interaction makes it a high-priority patch.
// CVE-2024-30078 — Windows Wi-Fi Driver RCE
// Detection approach: Wi-Fi driver RCE occurs at a layer below traditional endpoint telemetry.
// Best detections focus on: post-exploitation activity on wireless-connected systems,
// anomalous processes following Wi-Fi connection events, and wireless network anomalies.
let AnomalousProcessAfterWiFiConnect =
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ("svchost.exe", "wlanext.exe", "wlansvc.dll")
or InitiatingProcessCommandLine has_any ("wlansvc", "nativewifi", "wifi")
| where FileName in~ (
"cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "rundll32.exe", "regsvr32.exe"
)
| extend ThreatIndicator = "CVE-2024-30078-WiFi-Driver-PostExploit";
let WiFiNetworkAnomalies =
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIPType == "Public"
| where InitiatingProcessFileName in~ ("wlanext.exe", "svchost.exe")
| where InitiatingProcessCommandLine has_any ("wlansvc", "dot3svc", "WLANSVC")
| extend ThreatIndicator = "CVE-2024-30078-WiFi-Service-Outbound";
let SuspiciousWiFiEvents =
DeviceEvents
| where TimeGenerated > ago(24h)
| where ActionType in ("WifiConnectionAttempt", "WifiConnected")
| where AdditionalFields has_any (
"ad-hoc", "independent", "IBSS", // Ad-hoc/peer-to-peer networks (attack vector)
"open", "WEP" // Insecure network types
)
| extend ThreatIndicator = "CVE-2024-30078-Insecure-WiFi-Connect";
AnomalousProcessAfterWiFiConnect
| union WiFiNetworkAnomalies
| union SuspiciousWiFiEvents
| sort by TimeGenerated descData Sources
Required Tables
False Positives
- Wi-Fi provisioning services spawning helper processes during network profile management
- Corporate Wi-Fi onboarding agents that run post-connection scripts
- Windows WLAN AutoConfig service making cloud service connections for network intelligence
Unlock Pro Content
Get the full detection package for CVE-2024-30078 including response playbook, investigation guide, and atomic red team tests.