Connect with us

Hi, what are you looking for?



Microsoft Patches Xbox Vulnerability Following Public Disclosure

Microsoft patches Xbox Gaming Services vulnerability CVE-2024-28916 after initially saying it was not a security issue.

Microsoft has released a patch for an Xbox vulnerability after initially telling the reporting researcher that it was not a security issue.

The vulnerability is tracked as CVE-2024-2891 and it impacts Xbox Gaming Services. According to Microsoft, it has ‘important’ severity and it can easily be exploited by a local attacker with low privileges to escalate permissions to System.

“An attacker must have local access to the targeted machine and must be able to create folders and performance traces on the machine, with restricted privileges that normal users have by default,” Microsoft explained in its advisory.

The tech giant has informed customers that app package versions 19.87.13001.0 and later patch the vulnerability. The fix should automatically be delivered to users who have automatic updates enabled.

Microsoft’s advisory credits Filip Dragovic for reporting CVE-2024-2891 and informs customers that the vulnerability has been publicly disclosed. There is no evidence of malicious exploitation, but an ‘exploitation more likely’ rating has been assigned to the flaw. 

Dragovic disclosed the details of the vulnerability on March 12. The researcher had been displeased with the fact that Microsoft had initially said that it could not reproduce the vulnerability and later assessed that “no security boundary is being broken”. 

As a result, Dragovic made public a proof-of-concept (PoC) exploit, along with technical details and a video showing the exploit in action. 

“Exploit for arbitrary folder move in GamingService component of Xbox. GamingService is not default service. If service is installed on system it allows low privilege users to escalate to system,” the researcher wrote in his disclosure. 

Will Dormann, a reputable cybersecurity researcher, quickly confirmed Dragovic’s findings. 

Advertisement. Scroll to continue reading.

Just hours after Dragovic made his findings public and Dormann confirmed the bug, Microsoft informed Dragovic that it assigned the issue an ‘important severity’ rating and that it had started working on a fix. 

Microsoft published an advisory announcing the Xbox Gaming Services fix on March 20. 

It’s unclear if the tech giant will be paying out a bug bounty for the vulnerability, particularly since the flaw was disclosed publicly before a patch was made available and without coordinating with Microsoft, as the company had requested when it initially found no security boundaries being broken. 

Microsoft does have a dedicated Xbox bug bounty program, with rewards ranging between $500 and $20,000. An important-severity privilege escalation vulnerability can earn researchers between $1,000 and $5,000, depending on the quality of the report.

Related: CISA Warns Organizations of Exploited Vulnerability Affecting .NET, Visual Studio 

Related: Microsoft Criticized Over Handling of Critical Power Platform Vulnerability

Related: Patch Tuesday: Microsoft Flags Major Bugs in HyperV, Exchange Server 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.