title: Windows Proxy Driver Spoofing via Malicious Signed Driver (CVE-2024-26234)
id: df00tech-cve-2024-26234
status: experimental
description: "CVE-2024-26234 is a medium-severity (CVSS 6.7) proxy driver spoofing vulnerability in Windows. The vulnerability was discovered when a malicious driver signed with a valid Microsoft Hardware Compatibility Publisher certificate (WHCP) was found in the wild — the driver impersonated a legitimate Xiaomi application but contained proxy/backdoor functionality. The flaw relates to improper access control (CWE-284) in how Windows handles proxy driver installations. Despite the medium CVSS score, this vulnerability has forensic significance as it demonstrates abuse of the Microsoft WHCP signing process for driver-level persistence and traffic interception. It requires high privileges to exploit (local), limiting its attack surface to post-compromise or insider threat scenarios. Useful for detecting signed malicious drivers and driver-based persistence on Windows endpoints."
references:
  - https://attack.mitre.org/techniques/CVE-2024-26234/
  - https://df00tech.com/detections/CVE-2024-26234
author: df00tech
date: 2026/04/22
tags:
  - attack.cve-2024-26234
  - cve.2024-26234
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate VPN client drivers installing via msiexec from Program Files (excluded in query)
  - "Security software (EDR, AV) installing kernel filter drivers"
  - Network monitoring tools (Wireshark WinPcap/Npcap) installing capture drivers
level: high