CVE-2021-43890
CVE-2021-43890 is a high-severity vulnerability in Microsoft App Installer with a CVSS 3.x base score of 7.1. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-12-15).
Key facts
- Severity: High (CVSS 3.x base score 7.1)
- CVSS v2: 6.0
- EPSS exploit prediction: 10% (95th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-12-15)
- EU (EUVD) id: EUVD-2021-30752
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-12-15)
- Affected product: Microsoft App Installer
- Published:
- Last modified:
Description
We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader. An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Please see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section. Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability. December 27 2023 Update: In recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. To address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.
Frequently asked questions
- What is CVE-2021-43890?
- We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader. An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Please see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section. Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability. December 27 2023 Update: In recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. To address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.
- How severe is CVE-2021-43890?
- CVE-2021-43890 has a CVSS 3.x base score of 7.1, rated high severity. It is exploitable over network with high attack complexity, requires low privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-43890 being actively exploited?
- Yes. CVE-2021-43890 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-12-15, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-43890?
- CVE-2021-43890 affects Microsoft App Installer. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-43890?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-43890 have an EU (EUVD) identifier?
- Yes. CVE-2021-43890 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-30752. It is also flagged as exploited in the EUVD (since 2021-12-15).
- When was CVE-2021-43890 published?
- CVE-2021-43890 was published on 2021-12-15 and last updated on 2026-06-17.
References
- https://github.com/ChrisTitusTech/winutil/pull/26
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890
- https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html
- https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/
- https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43890
Affected products (1)
- cpe:2.3:a:microsoft:app_installer:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft App Installer
- CVE-2024-38177 — High (CVSS 7.8): Windows App Installer Spoofing Vulnerability