Vulnerability-Lookup

CVE-2021-43890 (GCVE-0-2021-43890)

Vulnerability from cvelistv5 – Published: 2021-12-15 14:15 – Updated: 2025-10-21 23:25

CISA KEV

Title

Windows AppX Installer Spoofing Vulnerability

Summary

We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader. An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Please see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section. Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability. December 27 2023 Update: In recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. To address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

Spoofing

Assigner

microsoft

References

URL

Tags

	https://portal.msrc.microsoft.com/en-US/security-…	x_refsource_MISC
	https://www.bleepingcomputer.com/news/microsoft/m…
	https://thehackernews.com/2023/12/microsoft-disab…
	https://www.microsoft.com/en-us/security/blog/202…
	https://github.com/ChrisTitusTech/winutil/pull/26

Impacted products

	Vendor	Product	Version
	Microsoft	App Installer	Affected: 1.0.0.0 , < publication (custom) cpe:2.3:a:microsoft:app_installer::::::::

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: 7325fa1e-f9a9-439f-a507-571262721f42

Vulnerability ID: CVE-2021-43890

Status: Confirmed

Status Updated: 2021-12-15 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2021-12-15

Asserted: 2021-12-15

Scope

Notes: KEV entry: Microsoft Windows AppX Installer Spoofing Vulnerability | Affected: Microsoft / Windows | Description: Microsoft Windows AppX Installer contains a spoofing vulnerability which has a high impacts to confidentiality, integrity, and availability. | Required action: Apply updates per vendor instructions. | Due date: 2021-12-29 | Known ransomware campaign use (KEV): Known | Notes (KEV): https://nvd.nist.gov/vuln/detail/CVE-2021-43890

Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details

Cwes
Feed	CISA Known Exploited Vulnerabilities Catalog
Product	Windows
Due Date	2021-12-29
Date Added	2021-12-15
Vendorproject	Microsoft
Vulnerabilityname	Microsoft Windows AppX Installer Spoofing Vulnerability
Knownransomwarecampaignuse	Known

References

CVE-2021-43890

Created: 2026-02-02 12:28 UTC | Updated: 2026-02-06 07:17 UTC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:10:17.079Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/ChrisTitusTech/winutil/pull/26"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-43890",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-26T13:43:15.135020Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2021-12-15",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43890"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:25:22.309Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43890"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2021-12-15T00:00:00+00:00",
            "value": "CVE-2021-43890 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:microsoft:app_installer:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "App Installer",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "publication",
              "status": "affected",
              "version": "1.0.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2021-12-14T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.\nAn attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\nPlease see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section.\nPlease see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability.\nDecember 27 2023 Update:\nIn recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme.\nTo address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Spoofing",
              "lang": "en-US",
              "type": "Impact"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-29T14:44:37.753Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890"
        },
        {
          "url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/"
        },
        {
          "url": "https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html"
        },
        {
          "url": "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/"
        },
        {
          "url": "https://github.com/ChrisTitusTech/winutil/pull/26"
        }
      ],
      "title": "Windows AppX Installer Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2021-43890",
    "datePublished": "2021-12-15T14:15:35.000Z",
    "dateReserved": "2021-11-16T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:25:22.309Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2021-43890",
      "dateAdded": "2021-12-15",
      "dueDate": "2021-12-29",
      "knownRansomwareCampaignUse": "Known",
      "notes": "https://nvd.nist.gov/vuln/detail/CVE-2021-43890",
      "product": "Windows",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Microsoft Windows AppX Installer contains a spoofing vulnerability which has a high impacts to confidentiality, integrity, and availability.",
      "vendorProject": "Microsoft",
      "vulnerabilityName": "Microsoft Windows AppX Installer Spoofing Vulnerability"
    },
    "fkie_nvd": {
      "cisaActionDue": "2021-12-29",
      "cisaExploitAdd": "2021-12-15",
      "cisaRequiredAction": "Apply updates per vendor instructions.",
      "cisaVulnerabilityName": "Microsoft Windows AppX Installer Spoofing Vulnerability",
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:app_installer:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.16\", \"matchCriteriaId\": \"F5F1F637-0D18-4CBE-A56B-DEA530ACC1B0\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2E332666-2E03-468E-BC30-299816D6E8ED\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A363CE8F-F399-4B6E-9E7D-349792F95DDB\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A1B570A8-ED1A-46B6-B8AB-064445F8FC4C\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:microsoft:windows_10_2004:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D4DBE5B2-AE10-4251-BCDA-DC5EDEE6EE67\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:microsoft:windows_10_20h2:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6AFD13A6-A390-4400-9029-2F4058CA17E2\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:microsoft:windows_10_21h1:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B1FED4C9-B680-4F44-ADC0-AC43D6B5F184\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2F513002-D8C1-4D3A-9F79-4B52498F67E9\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BB4AE761-6FAC-4000-A63D-42CE3FAB8412\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:app_installer:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.11\", \"matchCriteriaId\": \"62B0A730-2442-4C85-8CFA-098D4DADFF8C\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"542DAEEC-73CC-46C6-A630-BF474A3446AC\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:microsoft:windows_10_1709:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AC160B20-3EA0-49A0-A857-4E7A1C2D74E2\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:microsoft:windows_10_1803:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"00345596-E9E0-4096-8DC6-0212F4747A13\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.\\nAn attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\\nPlease see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section.\\nPlease see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability.\\nDecember 27 2023 Update:\\nIn recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme.\\nTo address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.\\n\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad de Suplantaci\\u00f3n de Identidad de Windows AppX Installer\"}]",
      "id": "CVE-2021-43890",
      "lastModified": "2024-11-21T06:29:59.457",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"secure@microsoft.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 6.8, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2021-12-15T15:15:11.207",
      "references": "[{\"url\": \"https://github.com/ChrisTitusTech/winutil/pull/26\", \"source\": \"secure@microsoft.com\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890\", \"source\": \"secure@microsoft.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html\", \"source\": \"secure@microsoft.com\", \"tags\": [\"Press/Media Coverage\", \"Third Party Advisory\"]}, {\"url\": \"https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/\", \"source\": \"secure@microsoft.com\", \"tags\": [\"Press/Media Coverage\", \"Third Party Advisory\"]}, {\"url\": \"https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\", \"source\": \"secure@microsoft.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/ChrisTitusTech/winutil/pull/26\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Press/Media Coverage\", \"Third Party Advisory\"]}, {\"url\": \"https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Press/Media Coverage\", \"Third Party Advisory\"]}, {\"url\": \"https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "secure@microsoft.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-43890\",\"sourceIdentifier\":\"secure@microsoft.com\",\"published\":\"2021-12-15T15:15:11.207\",\"lastModified\":\"2025-10-30T19:16:58.980\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.\\nAn attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\\nPlease see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section.\\nPlease see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability.\\nDecember 27 2023 Update:\\nIn recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme.\\nTo address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.\\n\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de Suplantaci\u00f3n de Identidad de Windows AppX Installer\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:P/A:P\",\"baseScore\":6.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.8,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"cisaExploitAdd\":\"2021-12-15\",\"cisaActionDue\":\"2021-12-29\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Microsoft Windows AppX Installer Spoofing Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:app_installer:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.16\",\"matchCriteriaId\":\"F5F1F637-0D18-4CBE-A56B-DEA530ACC1B0\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E332666-2E03-468E-BC30-299816D6E8ED\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A363CE8F-F399-4B6E-9E7D-349792F95DDB\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A1B570A8-ED1A-46B6-B8AB-064445F8FC4C\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows_10_2004:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D4DBE5B2-AE10-4251-BCDA-DC5EDEE6EE67\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows_10_20h2:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6AFD13A6-A390-4400-9029-2F4058CA17E2\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows_10_21h1:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B1FED4C9-B680-4F44-ADC0-AC43D6B5F184\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F513002-D8C1-4D3A-9F79-4B52498F67E9\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BB4AE761-6FAC-4000-A63D-42CE3FAB8412\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:app_installer:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.11\",\"matchCriteriaId\":\"62B0A730-2442-4C85-8CFA-098D4DADFF8C\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"542DAEEC-73CC-46C6-A630-BF474A3446AC\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows_10_1709:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AC160B20-3EA0-49A0-A857-4E7A1C2D74E2\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows_10_1803:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"00345596-E9E0-4096-8DC6-0212F4747A13\"}]}]}],\"references\":[{\"url\":\"https://github.com/ChrisTitusTech/winutil/pull/26\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Press/Media Coverage\",\"Third Party Advisory\"]},{\"url\":\"https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Press/Media Coverage\",\"Third Party Advisory\"]},{\"url\":\"https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/ChrisTitusTech/winutil/pull/26\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Press/Media Coverage\",\"Third Party Advisory\"]},{\"url\":\"https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Press/Media Coverage\",\"Third Party Advisory\"]},{\"url\":\"https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43890\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/ChrisTitusTech/winutil/pull/26\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T04:10:17.079Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-43890\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-26T13:43:15.135020Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2021-12-15\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43890\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2021-12-15T00:00:00+00:00\", \"value\": \"CVE-2021-43890 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43890\", \"tags\": [\"government-resource\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"description\": \"CWE-noinfo Not enough information\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-04T16:04:44.546Z\"}}], \"cna\": {\"title\": \"Windows AppX Installer Spoofing Vulnerability\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\"}, \"scenarios\": [{\"lang\": \"en-US\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:microsoft:app_installer:*:*:*:*:*:*:*:*\"], \"vendor\": \"Microsoft\", \"product\": \"App Installer\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0.0\", \"lessThan\": \"publication\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}], \"datePublic\": \"2021-12-14T08:00:00.000Z\", \"references\": [{\"url\": \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/\"}, {\"url\": \"https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html\"}, {\"url\": \"https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\"}, {\"url\": \"https://github.com/ChrisTitusTech/winutil/pull/26\"}], \"descriptions\": [{\"lang\": \"en-US\", \"value\": \"We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.\\nAn attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\\nPlease see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section.\\nPlease see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability.\\nDecember 27 2023 Update:\\nIn recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme.\\nTo address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.\\n\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en-US\", \"type\": \"Impact\", \"description\": \"Spoofing\"}]}], \"providerMetadata\": {\"orgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"shortName\": \"microsoft\", \"dateUpdated\": \"2024-05-29T14:44:37.753Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-43890\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T23:25:22.309Z\", \"dateReserved\": \"2021-11-16T00:00:00.000Z\", \"assignerOrgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"datePublished\": \"2021-12-15T14:15:35.000Z\", \"assignerShortName\": \"microsoft\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-HVCQ-2MCQ-RG5F

Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2025-10-22 00:32

Details

Windows AppX Installer Spoofing Vulnerability

Severity ?

7.1 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-43890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Windows AppX Installer Spoofing Vulnerability",
  "id": "GHSA-hvcq-2mcq-rg5f",
  "modified": "2025-10-22T00:32:26Z",
  "published": "2021-12-16T00:01:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43890"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ChrisTitusTech/winutil/pull/26"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890"
    },
    {
      "type": "WEB",
      "url": "https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html"
    },
    {
      "type": "WEB",
      "url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43890"
    },
    {
      "type": "WEB",
      "url": "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CERTFR-2021-AVI-961

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été corrigées dans les produits Microsoft. Elles permettent à un attaquant de provoquer une usurpation d'identité, une élévation de privilèges, une atteinte à la confidentialité des données et une exécution de code à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	N/A	Microsoft Visual Studio 2022 version 17.0
Microsoft	N/A	PowerShell 7.2
Microsoft	N/A	Microsoft BizTalk ESB Toolkit 2.2
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)
Microsoft	N/A	HEVC Video Extensions
Microsoft	N/A	Raw Image Extension
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
Microsoft	N/A	Visual Studio Code WSL Extension
Microsoft	N/A	VP9 Video Extensions
Microsoft	N/A	Visual Studio Code
Microsoft	N/A	Microsoft 365 Apps pour Enterprise pour systèmes 32 bits
Microsoft	N/A	Microsoft 365 Apps pour Enterprise pour 64 bits Systems
Microsoft	N/A	Microsoft BizTalk ESB Toolkit 2.4
Microsoft	N/A	Microsoft Defender pour IoT
Microsoft	N/A	Microsoft 4K Wireless Display Adapter
Microsoft	N/A	Microsoft BizTalk ESB Toolkit 2.3
Microsoft	N/A	App Installer

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft du 14 décembre 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft Visual Studio 2022 version 17.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "PowerShell 7.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft BizTalk ESB Toolkit 2.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.7 (includes 16.0 \u2013 16.6)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "HEVC Video Extensions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Raw Image Extension",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Visual Studio Code WSL Extension",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "VP9 Video Extensions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Visual Studio Code",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft 365 Apps pour Enterprise pour syst\u00e8mes 32 bits",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft 365 Apps pour Enterprise pour 64 bits Systems",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft BizTalk ESB Toolkit 2.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Defender pour IoT",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft 4K Wireless Display Adapter",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft BizTalk ESB Toolkit 2.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "App Installer",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-43908",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43908"
    },
    {
      "name": "CVE-2021-41360",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-41360"
    },
    {
      "name": "CVE-2021-42295",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42295"
    },
    {
      "name": "CVE-2021-43889",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43889"
    },
    {
      "name": "CVE-2021-40452",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40452"
    },
    {
      "name": "CVE-2021-43890",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43890"
    },
    {
      "name": "CVE-2021-43892",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43892"
    },
    {
      "name": "CVE-2021-42313",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42313"
    },
    {
      "name": "CVE-2021-43255",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43255"
    },
    {
      "name": "CVE-2021-43896",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43896"
    },
    {
      "name": "CVE-2021-41365",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-41365"
    },
    {
      "name": "CVE-2021-43256",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43256"
    },
    {
      "name": "CVE-2021-42310",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42310"
    },
    {
      "name": "CVE-2021-40453",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40453"
    },
    {
      "name": "CVE-2021-42315",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42315"
    },
    {
      "name": "CVE-2021-43875",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43875"
    },
    {
      "name": "CVE-2021-42314",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42314"
    },
    {
      "name": "CVE-2021-43907",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43907"
    },
    {
      "name": "CVE-2021-42293",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42293"
    },
    {
      "name": "CVE-2021-43877",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43877"
    },
    {
      "name": "CVE-2021-43888",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43888"
    },
    {
      "name": "CVE-2021-43214",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43214"
    },
    {
      "name": "CVE-2021-43891",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43891"
    },
    {
      "name": "CVE-2021-43882",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43882"
    },
    {
      "name": "CVE-2021-42311",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42311"
    },
    {
      "name": "CVE-2021-43243",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43243"
    },
    {
      "name": "CVE-2021-43899",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43899"
    },
    {
      "name": "CVE-2021-42312",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42312"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-961",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-12-15T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Usurpation d\u0027identit\u00e9"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eles produits Microsoft\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer une usurpation d\u0027identit\u00e9, une \u00e9l\u00e9vation de\nprivil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une\nex\u00e9cution de code \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft du 14 d\u00e9cembre 2021",
      "url": "https://msrc.microsoft.com/update-guide/"
    }
  ]
}

CERTFR-2021-AVI-961

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	N/A	Microsoft Visual Studio 2022 version 17.0
Microsoft	N/A	PowerShell 7.2
Microsoft	N/A	Microsoft BizTalk ESB Toolkit 2.2
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)
Microsoft	N/A	HEVC Video Extensions
Microsoft	N/A	Raw Image Extension
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
Microsoft	N/A	Visual Studio Code WSL Extension
Microsoft	N/A	VP9 Video Extensions
Microsoft	N/A	Visual Studio Code
Microsoft	N/A	Microsoft 365 Apps pour Enterprise pour systèmes 32 bits
Microsoft	N/A	Microsoft 365 Apps pour Enterprise pour 64 bits Systems
Microsoft	N/A	Microsoft BizTalk ESB Toolkit 2.4
Microsoft	N/A	Microsoft Defender pour IoT
Microsoft	N/A	Microsoft 4K Wireless Display Adapter
Microsoft	N/A	Microsoft BizTalk ESB Toolkit 2.3
Microsoft	N/A	App Installer

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft du 14 décembre 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft Visual Studio 2022 version 17.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "PowerShell 7.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft BizTalk ESB Toolkit 2.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.7 (includes 16.0 \u2013 16.6)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "HEVC Video Extensions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Raw Image Extension",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Visual Studio Code WSL Extension",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "VP9 Video Extensions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Visual Studio Code",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft 365 Apps pour Enterprise pour syst\u00e8mes 32 bits",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft 365 Apps pour Enterprise pour 64 bits Systems",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft BizTalk ESB Toolkit 2.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Defender pour IoT",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft 4K Wireless Display Adapter",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft BizTalk ESB Toolkit 2.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "App Installer",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-43908",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43908"
    },
    {
      "name": "CVE-2021-41360",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-41360"
    },
    {
      "name": "CVE-2021-42295",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42295"
    },
    {
      "name": "CVE-2021-43889",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43889"
    },
    {
      "name": "CVE-2021-40452",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40452"
    },
    {
      "name": "CVE-2021-43890",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43890"
    },
    {
      "name": "CVE-2021-43892",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43892"
    },
    {
      "name": "CVE-2021-42313",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42313"
    },
    {
      "name": "CVE-2021-43255",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43255"
    },
    {
      "name": "CVE-2021-43896",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43896"
    },
    {
      "name": "CVE-2021-41365",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-41365"
    },
    {
      "name": "CVE-2021-43256",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43256"
    },
    {
      "name": "CVE-2021-42310",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42310"
    },
    {
      "name": "CVE-2021-40453",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40453"
    },
    {
      "name": "CVE-2021-42315",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42315"
    },
    {
      "name": "CVE-2021-43875",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43875"
    },
    {
      "name": "CVE-2021-42314",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42314"
    },
    {
      "name": "CVE-2021-43907",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43907"
    },
    {
      "name": "CVE-2021-42293",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42293"
    },
    {
      "name": "CVE-2021-43877",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43877"
    },
    {
      "name": "CVE-2021-43888",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43888"
    },
    {
      "name": "CVE-2021-43214",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43214"
    },
    {
      "name": "CVE-2021-43891",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43891"
    },
    {
      "name": "CVE-2021-43882",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43882"
    },
    {
      "name": "CVE-2021-42311",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42311"
    },
    {
      "name": "CVE-2021-43243",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43243"
    },
    {
      "name": "CVE-2021-43899",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43899"
    },
    {
      "name": "CVE-2021-42312",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42312"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-961",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-12-15T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Usurpation d\u0027identit\u00e9"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eles produits Microsoft\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer une usurpation d\u0027identit\u00e9, une \u00e9l\u00e9vation de\nprivil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une\nex\u00e9cution de code \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft du 14 d\u00e9cembre 2021",
      "url": "https://msrc.microsoft.com/update-guide/"
    }
  ]
}

FKIE_CVE-2021-43890

Vulnerability from fkie_nvd - Published: 2021-12-15 15:15 - Updated: 2025-10-30 19:16

CISA KEV

Severity ?

7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
secure@microsoft.com	https://github.com/ChrisTitusTech/winutil/pull/26	Issue Tracking
secure@microsoft.com	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890	Patch, Vendor Advisory
secure@microsoft.com	https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html	Press/Media Coverage, Third Party Advisory
secure@microsoft.com	https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/	Press/Media Coverage, Third Party Advisory
secure@microsoft.com	https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ChrisTitusTech/winutil/pull/26	Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html	Press/Media Coverage, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/	Press/Media Coverage, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43890	US Government Resource

Impacted products

Vendor	Product	Version
microsoft	app_installer	*
microsoft	windows_10_1809	-
microsoft	windows_10_1903	-
microsoft	windows_10_1909	-
microsoft	windows_10_2004	-
microsoft	windows_10_20h2	-
microsoft	windows_10_21h1	-
microsoft	windows_10_21h2	-
microsoft	windows_11_21h2	-
microsoft	app_installer	*
microsoft	windows_10_1507	-
microsoft	windows_10_1709	-
microsoft	windows_10_1803	-

JSON

To clipboard

{
  "cisaActionDue": "2021-12-29",
  "cisaExploitAdd": "2021-12-15",
  "cisaRequiredAction": "Apply updates per vendor instructions.",
  "cisaVulnerabilityName": "Microsoft Windows AppX Installer Spoofing Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microsoft:app_installer:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F5F1F637-0D18-4CBE-A56B-DEA530ACC1B0",
              "versionEndExcluding": "1.16",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2E332666-2E03-468E-BC30-299816D6E8ED",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A363CE8F-F399-4B6E-9E7D-349792F95DDB",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A1B570A8-ED1A-46B6-B8AB-064445F8FC4C",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_10_2004:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4DBE5B2-AE10-4251-BCDA-DC5EDEE6EE67",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_10_20h2:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6AFD13A6-A390-4400-9029-2F4058CA17E2",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_10_21h1:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B1FED4C9-B680-4F44-ADC0-AC43D6B5F184",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F513002-D8C1-4D3A-9F79-4B52498F67E9",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "BB4AE761-6FAC-4000-A63D-42CE3FAB8412",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microsoft:app_installer:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "62B0A730-2442-4C85-8CFA-098D4DADFF8C",
              "versionEndExcluding": "1.11",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "542DAEEC-73CC-46C6-A630-BF474A3446AC",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_10_1709:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC160B20-3EA0-49A0-A857-4E7A1C2D74E2",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_10_1803:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "00345596-E9E0-4096-8DC6-0212F4747A13",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.\nAn attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\nPlease see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section.\nPlease see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability.\nDecember 27 2023 Update:\nIn recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme.\nTo address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.\n"
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de Suplantaci\u00f3n de Identidad de Windows AppX Installer"
    }
  ],
  "id": "CVE-2021-43890",
  "lastModified": "2025-10-30T19:16:58.980",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "secure@microsoft.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-12-15T15:15:11.207",
  "references": [
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/ChrisTitusTech/winutil/pull/26"
    },
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890"
    },
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Press/Media Coverage",
        "Third Party Advisory"
      ],
      "url": "https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html"
    },
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Press/Media Coverage",
        "Third Party Advisory"
      ],
      "url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/"
    },
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/ChrisTitusTech/winutil/pull/26"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Press/Media Coverage",
        "Third Party Advisory"
      ],
      "url": "https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Press/Media Coverage",
        "Third Party Advisory"
      ],
      "url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43890"
    }
  ],
  "sourceIdentifier": "secure@microsoft.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2021-43890

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Windows AppX Installer Spoofing Vulnerability

Aliases

CVE-2021-43890

Aliases

CVE-2021-43890

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-43890",
    "description": "Windows AppX Installer Spoofing Vulnerability",
    "id": "GSD-2021-43890"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-43890"
      ],
      "details": "Windows AppX Installer Spoofing Vulnerability",
      "id": "GSD-2021-43890",
      "modified": "2023-12-13T01:23:25.892349Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cisa.gov": {
      "cveID": "CVE-2021-43890",
      "dateAdded": "2021-12-15",
      "dueDate": "2021-12-29",
      "product": "Windows",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Microsoft Windows AppX Installer contains a spoofing vulnerability which has a high impacts to confidentiality, integrity, and availability.",
      "vendorProject": "Microsoft",
      "vulnerabilityName": "Microsoft Windows AppX Installer Spoofing Vulnerability"
    },
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secure@microsoft.com",
        "ID": "CVE-2021-43890",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "App Installer",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "1.0.0.0",
                          "version_value": "publication"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Microsoft"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "\u003cp\u003eWe have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.\u003c/p\u003e\n\u003cp\u003eAn attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\u003c/p\u003e\n\u003cp\u003ePlease see the \u003cstrong\u003eSecurity Updates\u003c/strong\u003e table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the \u003cstrong\u003eFAQ\u003c/strong\u003e section.\u003c/p\u003e\n\u003cp\u003ePlease see the \u003cstrong\u003eMitigations\u003c/strong\u003e and \u003cstrong\u003eWorkaround\u003c/strong\u003e sections for important information about steps you can take to protect your system from this vulnerability.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eDecember 27 2023 Update:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eIn recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the \u003ca href=\"https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\"\u003ems-appinstaller URI scheme\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eTo address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.\u003c/p\u003e\n"
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Spoofing"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890",
            "refsource": "MISC",
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890"
          },
          {
            "name": "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/",
            "refsource": "MISC",
            "url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/"
          },
          {
            "name": "https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html",
            "refsource": "MISC",
            "url": "https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html"
          },
          {
            "name": "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/",
            "refsource": "MISC",
            "url": "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/"
          },
          {
            "name": "https://github.com/ChrisTitusTech/winutil/pull/26",
            "refsource": "MISC",
            "url": "https://github.com/ChrisTitusTech/winutil/pull/26"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "cisaActionDue": "2021-12-29",
        "cisaExploitAdd": "2021-12-15",
        "cisaRequiredAction": "Apply updates per vendor instructions.",
        "cisaVulnerabilityName": "Microsoft Windows AppX Installer Spoofing Vulnerability",
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:microsoft:app_installer:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "F08CBD8F-D993-4175-A2FF-0A0C37F7AFD0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              },
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*",
                    "matchCriteriaId": "084984D5-D241-497B-B118-50C6C1EAD468",
                    "vulnerable": false
                  },
                  {
                    "criteria": "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*",
                    "matchCriteriaId": "BA592626-F17C-4F46-823B-0947D102BBD2",
                    "vulnerable": false
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ],
            "operator": "AND"
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "\u003cp\u003eWe have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.\u003c/p\u003e\n\u003cp\u003eAn attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\u003c/p\u003e\n\u003cp\u003ePlease see the \u003cstrong\u003eSecurity Updates\u003c/strong\u003e table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the \u003cstrong\u003eFAQ\u003c/strong\u003e section.\u003c/p\u003e\n\u003cp\u003ePlease see the \u003cstrong\u003eMitigations\u003c/strong\u003e and \u003cstrong\u003eWorkaround\u003c/strong\u003e sections for important information about steps you can take to protect your system from this vulnerability.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eDecember 27 2023 Update:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eIn recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the \u003ca href=\"https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\"\u003ems-appinstaller URI scheme\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eTo address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.\u003c/p\u003e\n"
          },
          {
            "lang": "es",
            "value": "Una vulnerabilidad de Suplantaci\u00f3n de Identidad de Windows AppX Installer"
          }
        ],
        "id": "CVE-2021-43890",
        "lastModified": "2023-12-30T07:15:08.147",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.0,
                "confidentialityImpact": "PARTIAL",
                "integrityImpact": "PARTIAL",
                "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              },
              "exploitabilityScore": 6.8,
              "impactScore": 6.4,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": true
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.2,
              "impactScore": 5.9,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.2,
              "impactScore": 5.9,
              "source": "secure@microsoft.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2021-12-15T15:15:11.207",
        "references": [
          {
            "source": "secure@microsoft.com",
            "url": "https://github.com/ChrisTitusTech/winutil/pull/26"
          },
          {
            "source": "secure@microsoft.com",
            "tags": [
              "Patch",
              "Vendor Advisory"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890"
          },
          {
            "source": "secure@microsoft.com",
            "url": "https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html"
          },
          {
            "source": "secure@microsoft.com",
            "url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/"
          },
          {
            "source": "secure@microsoft.com",
            "url": "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/"
          }
        ],
        "sourceIdentifier": "secure@microsoft.com",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "NVD-CWE-noinfo"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-43890 (GCVE-0-2021-43890)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Vendor Report Successful Exploitation Confidence: 80% Source: cisa-kev

Details

References

GHSA-HVCQ-2MCQ-RG5F

CERTFR-2021-AVI-961

Solution

CERTFR-2021-AVI-961

Solution

FKIE_CVE-2021-43890

GSD-2021-43890

Tags

Sightings

Nomenclature