CVE-2024-9680
Confirmed PUBLISHEDAn attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of...
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.
- CVE Published
- Oct 09, 2024
- Exploitation Reported
- Oct 15, 2024
- CVSS
- 9.8 Critical
- EPSS
- —
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| mozilla |
firefox
|
0 to < 131.0.2 |
Affected |
| mozilla |
firefox_esr
|
0 to < 128.3.1 |
Affected |
| mozilla |
firefox_esr
|
0 to < 115.16.1 |
Affected |
| mozilla |
firefox_esr
|
0 to < 128.3.1 |
Affected |
| mozilla |
firefox_esr
|
0 to < 115.16.1 |
Affected |
| mozilla |
thunderbird
|
0 to < 131.0.1 |
Affected |
| mozilla |
thunderbird
|
0 to < 128.3.1 |
Affected |
| mozilla |
thunderbird
|
0 to < 115.16.0 |
Affected |
| mozilla |
thunderbird
|
0 to < 131.0.1 |
Affected |
| mozilla |
thunderbird
|
0 to < 128.3.1 |
Affected |
| mozilla |
thunderbird
|
0 to < 115.16.0 |
Affected |
| mozilla |
thunderbird
|
0 to < 131.0.1 |
Affected |
| mozilla |
thunderbird
|
0 to < 128.3.1 |
Affected |
| mozilla |
thunderbird
|
0 to < 115.16.0 |
Affected |
| Mozilla |
Firefox
|
unspecified to < 131.0.2 |
Affected |
| Mozilla |
Firefox ESR
|
unspecified to < 128.3.1 |
Affected |
| Mozilla |
Firefox ESR
|
unspecified to < 115.16.1 |
Affected |
| Mozilla |
Thunderbird
|
unspecified to < 131.0.1 |
Affected |
| Mozilla |
Thunderbird
|
unspecified to < 128.3.1 |
Affected |
| Mozilla |
Thunderbird
|
unspecified to < 115.16.0 |
Affected |
CVE References
- bugzilla.mozilla.org/show_bug.cgi bugzilla.mozilla.org · CVE Record https://bugzilla.mozilla.org/show_bug.cgi?id=1923344
- Windows sandbox escape detected with the in-the-wild exploit msrc.microsoft.com · CVE Record https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-...
- mozilla.org/security/advisories/mfsa2024-51 mozilla.org · CVE Record https://www.mozilla.org/security/advisories/mfsa2024-51/
- mozilla.org/security/advisories/mfsa2024-52 mozilla.org · CVE Record https://www.mozilla.org/security/advisories/mfsa2024-52/
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| CISA First | 2024-10-15 00:00 UTC |
No detection artifacts or sensor request patterns are available for this CVE yet.
Check back as sensor telemetry and scanner integrations are updated.
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2024-10-15 00:00:00 UTC · CISA
Used in malware
Recorded 2026-06-02 14:08:22 UTC · CISA
Proof of concept available
Recorded 2024-10-17 16:10:38 UTC · GitHub
Weaknesses (CWE)
-
Use After Free
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nessus | https://www.tenable.com/plugins/nessus/212185 | Jun 02, 2025 |
Recent Mentions
Google Threat Intelligence · Apr 29, 2025
Written by: Casey Charrier, James Sadowski, Clement Lecigne, Vlad Stolyarov Executive Summary Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). We divided the reviewed vulnerabilities into two main categories: end-user platforms and products (e.g., mobile devices, operating systems, and browsers) and enterprise-focused technologies, such as security software and appliances. Vendors continue to drive improvements that make some zero-day exploitation harder, demonstrated by both dwindling numbers across multiple categories and reduced observed attacks against previously popular targets. At the same time, commercial surveillance vendors (CSVs) appear to be increasing their operational security practices, potentially leading to decreased attribution and detection. We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies. While the historic focus on the exploitation of popular end-user technologies and their users continues, the shift toward increased targeting of enterprise-focused products will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day exploitation attempts. For a deeper look at the trends discussed in this report, along with recommendations for defenders, register for our upcoming zero-day webinar. Scope This report describes what Google Threat Intelligence Group (GTIG) knows about zero-day exploitation in 2024. We discuss how targeted vendors and exploited products drive trends that reflect threat actor goals and shifting exploitation approaches, and then closely examine several examples of zero-day exploitation from 2024 that…
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2024-10-17 16:10:38 UTC · 11 stars
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
14:08 UTC about 2 months ago14:08 UTC · about 2 months ago
First public exploitation report
Exploit observed in malware
-
09:26 UTC about 1 year ago09:26 UTC · about 1 year ago
Nessus plugin available
Scanner coverage available
-
16:10 UTC almost 2 years ago16:10 UTC · almost 2 years ago
Public PoC available
Public proof-of-concept code published
-
00:00 UTC almost 2 years ago00:00 UTC · almost 2 years ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
12:59 UTC almost 2 years ago12:59 UTC · almost 2 years ago
CVE published
Vulnerability disclosed publicly
-
06:28 UTC almost 2 years ago06:28 UTC · almost 2 years ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2024-9680
{
"cve_id": "CVE-2024-9680",
"title": "An attacker was able to achieve code execution in the content process by expl...",
"affected_vendor": "Mozilla",
"affected_product": "Firefox, Firefox ESR, Thunderbird",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 9.8,
"epss_score": null,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}