SecPod

Learn Search

Search across all Learn content

← Back to Security Research
When CVE Met CVE: RomCom Hackers Exploit Firefox and Windows Zero-Days

When CVE Met CVE: RomCom Hackers Exploit Firefox and Windows Zero-Days

The Russian cybercrime group RomCom has been linked to a series of cyberattacks launched across the world. The notorious hackers are chaining two Firefox and Windows flaws to deliver a backdoor and compromise vulnerable systems.

Nov 27, 2024By Meghana Raatni5 min read

The Russian cybercrime group RomCom has been linked to a series of cyberattacks launched across the world. The notorious hackers are chaining two Firefox and Windows flaws to deliver a backdoor and compromise vulnerable systems.

The two zero-days involved in this attack are CVE-2024-9680 (CVSS score: 9.8), a use-after-free flaw in Firefox’s Animation component, and CVE-2024-49039 (CVSS score: 8.8), a privilege escalation vulnerability in Windows Task Scheduler. Both vulnerabilities have already been patched.

Technical Details: Zero-Days

CVE-2024-9680 – Use-after-free

The HTML iframe ‘animation0.html’ loaded by the exploit creates four animation elements, handled by an AnimationTimeline object. When the getter function cancels an animation element, it is set to null to free it. Parallelly, the Tick function iterates over aspects of the AnimationTimeline, appending the ones that need to be moved to a local array called animationsToRemove. This could result in the current animation object being freed, leading to the handling of a dangling pointer.

The exploit code uses heap management to control which objects replace the freed animations, and then calls the getInfo function, leaking properties of ImageData objects. It then leaks the address of a JavaScript object and exploits the Firefox JIT compiler to run the initial shellcode component within the context of a content process.

The initial shellcode called the egg-hunting shellcode, locates the second shellcode in memory by searching for a hardcoded magic value, 0x8877665544332211. It then modifies the memory protection of the identified address to read-write-execute (RWX) and executes the code stored there.

The second shellcode, called the reflective loader shellcode, loads an embedded library designed solely to bypass the restrictions of Firefox’s sandboxed content process. We’ll talk more about this library while describing the second zero-day.

CVE-2024-49039 – Privilege escalation

The aforementioned library, named PocLowIL by its developers and identified by SHA1 hash ABB54C4751F97A9FC1C9598FED1EC9FB9E6B1DB6, enables a sandbox escape, elevating privileges from the untrusted content process level to a medium integrity level.

The sandbox escape code within the library makes use of the lack of restrictions imposed on the security descriptor applied to an undocumented RPC endpoint. The descriptor is of the form D:P(A;;GA;;;S-1-15-2-1)(A;;GA;;;WD, which allows anyone to interact with the RPC interface and call its procedures no matter what their integrity level is.

The threat actor exploited this flaw by creating a task named firefox.exe that launches conhost.exe, used to hide the child process window. The subsequent PowerShell script retrieves an executable from https://journalctd[.]live/JfWb4OrQPLh, saves it in the %PUBLIC% folder as public.exe, and executes it. Ten seconds later, the file is renamed to epublic.exe and executed again.

Technical Details: Exploit Chain

This attack is particularly dangerous because it’s zero-click; all a user has to do is visit a web page that contains the exploit, and an attacker can run arbitrary code to install the backdoor without any user interaction.

The chain starts off with the distribution of a fake website called economistjournal[.]cloud (do not try to access it) which redirects users to another website, redjournal[.]cloud. The method of distribution is currently unknown. This site contains the exploit code and drops malware known as the RomCom RAT into the user’s system. A final redirection is performed that takes the user back to the original website to avoid raising suspicion.

About RomCom

RomCom, a Russia-linked hacker group, also goes by the names Storm-0978, Tropical Scorpius, and UNC2596. They are known for their espionage operations, spreading RomCom RAT, and maintaining backdoors on affected systems. Some of their campaigns have been financially motivated; they have spread ransomware, stolen credentials,s and extorted victims.

In July 2023, RomCom leveraged another zero-day vulnerability (CVE-2023-36884) in various Windows and Office products to target organizations participating in the NATO Summit in Vilnius, Lithuania.

Products Affected

  • Mozilla Firefox
  • Tor Browser
  • Windows Task Scheduler

Impact

RomCom RAT can steal user data, execute commands, and download new modules on affected systems.

Between October 10, 2024, and November 4, 2024, most potential victims who accessed websites hosting the exploit were located in Europe and North America. The number of potential targets ranged from a single individual per country to as many as 250.

Solutions

CVE-2024-9680 was patched in Firefox 131.0.2, Firefox ESR 128.3.1, Firefox ESR 115.16.1, and Tor 13.5.7. By using reference-counting pointers, the animations are prevented from being freed, since AnimationTimeline::Tick will still hold a reference to them.

CVE-2024-49039 was patched in version 10.0.19041.5129 released with KB5046612, and uses a more complex security descriptor, D:(A;;GRGWGX;;;SY)(A;;GRGWGX;;;LS)(A;;GR;;;NS)(A;;GR;;;IU)S:(ML;;NWNXNR;;;ME), which prevents privilege escalation.

Instantly Fix Risks with SanerNow Patch Management

SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.

Featured Posts

Open Granted Without Asking: How CVE-2026-48558 Lets TaskWeaver and Djinn Stealer Walk in the Front Door
Granted Without Asking: How CVE-2026-48558 Lets TaskWeaver and Djinn Stealer Walk in the Front Door

CVE Research

Granted Without Asking: How CVE-2026-48558 Lets TaskWeaver and Djinn Stealer Walk in the Front Door

A maximum-severity authentication bypass in SimpleHelp's OIDC flow, CVE-2026-48558, is being actively exploited to hijack technician sessions, even past MFA. Attackers use this access to deploy TaskWeaver, a stealth Node.js loader disguised as jQuery, then Djinn Stealer, which harvests cloud, developer, AI-assistant, and crypto-wallet credentials. Now in CISA's KEV catalog with a CVSS of 10.0, this is an urgent, assume-compromise scenario for any SimpleHelp OIDC deployment.

Jul 3, 2026

Open CitrixBleed 2 Powers Anubis Ransomware Intrusions
CitrixBleed 2 Powers Anubis Ransomware Intrusions

CVE Research

CitrixBleed 2 Powers Anubis Ransomware Intrusions

Jul 3, 2026

Open RustDuck: The DDoS Botnet Engineered to Outlast Detection
RustDuck: The DDoS Botnet Engineered to Outlast Detection

CVE Research

RustDuck: The DDoS Botnet Engineered to Outlast Detection

RustDuck is an actively developed DDoS botnet targeting routers, cameras, and servers through known CVEs and default credential abuse, deploying a Rust-based payload with Noise protocol-grade C2 encryption and a weighted sandbox evasion system to build resilient, hard-to-detect flood infrastructure.

Jul 2, 2026

Open Citrix Critical Update: NetScaler Vulnerabilities Fixed Enabling File Leakage and Service Disruption
Citrix Critical Update: NetScaler Vulnerabilities Fixed Enabling File Leakage and Service Disruption

CVE Research

Citrix Critical Update: NetScaler Vulnerabilities Fixed Enabling File Leakage and Service Disruption

Citrix has issued critical fixes for six NetScaler vulnerabilities that could lead to arbitrary file reads, memory disclosure, and denial-of-service attacks. As internet-facing appliances, NetScaler deployments remain attractive targets for threat actors seeking initial access to enterprise networks.

Jul 2, 2026