CVE-2024-21412
CVE-2024-21412 is a high-severity vulnerability in Microsoft Windows 10 1809 with a CVSS 3.x base score of 8.1. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-02-13). The underlying weakness is classified as CWE-693.
Key facts
- Severity: High (CVSS 3.x base score 8.1)
- EPSS exploit prediction: 95% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-02-13)
- EU (EUVD) id: EUVD-2024-19121
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-02-13)
- Weakness: CWE-693
- Affected product: Microsoft Windows 10 1809
- Published:
- Last modified:
Description
Internet Shortcut Files Security Feature Bypass Vulnerability
CVE-2024-21412: Internet Shortcut Files Security Feature Bypass — Actively Exploited in the Wild
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2024-21412 |
| Published | 2024-02-13 |
| Last Modified | 2026-06-17 |
| CVSS v3.1 | 8.1 (HIGH) — AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
| CWE | CWE-693: Protection Mechanism Failure |
| EPSS | 0.95443 (99.86th percentile) |
| CISA KEV | Listed — added 2024-02-13 |
| EU Exploited | Yes — EUVD-2024-19121, since 2024-02-13 |
| Ransomware Use | Confirmed |
| Vendor | Microsoft |
Summary
CVE-2024-21412 is a security feature bypass vulnerability in the way Microsoft Windows handles Internet Shortcut (.url) files. By crafting a malicious shortcut, an attacker can circumvent Mark-of-the-Web (MotW) protections and other security controls, leading to arbitrary code execution or data exfiltration. The vulnerability has been actively exploited in the wild since its disclosure date and is associated with ransomware campaigns.
Background
Internet Shortcut files (.url) are a legacy Windows feature that allows users to store web links as discrete files on disk. When opened, Windows resolves the URL and launches the default browser. Over the years, these files have been abused in social-engineering attacks because they appear benign to non-technical users and can carry embedded commands or redirect to attacker-controlled resources. Microsoft has progressively hardened the handling of such files via Mark-of-the-Web (MotW) taint tracking and Protected View, but bypass techniques continue to emerge.
Root Cause — CWE-693: Protection Mechanism Failure
The root cause lies in a failure of the Windows security mechanism responsible for enforcing MotW and sandbox restrictions on Internet Shortcut files. Specifically, the parsing logic for .url files does not adequately validate or propagate security zone identifiers under certain conditions, allowing a crafted file to masquerade as locally trusted content. This effectively neuters the protections designed to prevent untrusted files from executing without user warning.
CWE-693 captures this class of vulnerability: a protection mechanism exists but fails to operate correctly in a specific code path, leaving the system exposed.
Impact
With a CVSS v3.1 score of 8.1 (HIGH), this vulnerability is rated severe:
| Metric | Value | Interpretation |
|---|---|---|
| Attack Vector (AV) | Network | Can be exploited remotely |
| Attack Complexity (AC) | Low | No special conditions required |
| Privileges Required (PR) | None | No user account needed |
| User Interaction (UI) | Required | Victim must open the file |
| Scope (S) | Unchanged | Impact limited to the vulnerable component |
| Confidentiality (C) | High | Sensitive data can be exfiltrated |
| Integrity (I) | High | Data or system state can be modified |
| Availability (A) | None | No direct denial-of-service effect |
Real-world impact: Because the flaw bypasses MotW, phishing emails delivering malicious .url attachments can trigger code execution even when the file originated from the internet. The CISA KEV listing, EU exploitation flag, and confirmed ransomware use all indicate that this is not merely theoretical — it is a documented infection vector.
Exploitation Walkthrough (Defensive Perspective)
Ethics caveat: The following describes the generic attack flow at a high level for defensive awareness only. No weaponized exploit code is provided, and the information is drawn from public advisories.
- Reconnaissance: The attacker identifies a target organization and crafts a phishing email themed around a legitimate service or internal process.
- Delivery: An innocent-looking
.urlfile is attached to the email. The file's visible name may be disguised (e.g.,Invoice_Feb2024.pdf.url). - Social engineering: The email urges the recipient to open the attachment to view a document or confirm a payment.
- Execution: When the victim opens the
.urlfile, the MotW bypass allows the shortcut to launch a resource — often a remote SMB share, WebDAV path, or script — without triggering the usual security warnings. - Post-exploitation: The attacker may deploy a remote access trojan, steal credentials, or drop ransomware.
Defensive takeaway: The entire chain depends on the user opening the attachment. Therefore, user awareness and attachment-blocking policies are critical compensating controls.
Affected and Patched Versions
The following Microsoft products are confirmed vulnerable based on CPE data:
- Windows 10, version 1809
- Windows 10, version 21H2
- Windows 10, version 22H2
- Windows 11, version 21H2
- Windows 11, version 22H2
- Windows 11, version 23H2
- Windows Server 2019
- Windows Server 2022
- Windows Server 2022, version 23H2
Microsoft released security updates in the February 2024 Patch Tuesday cycle. Systems patched via Windows Update or Microsoft Update Catalog on or after 2024-02-13 are no longer vulnerable.
Remediation
- Apply patches immediately. Install the February 2024 (or later) cumulative security updates from Microsoft for all affected Windows versions.
- Block
.urlattachments at the email gateway. Unless there is a documented business need,.urlfiles should be stripped or quarantined by email security appliances. - Enforce Attack Surface Reduction (ASR) rules. Enable Microsoft Defender ASR rules that block Office applications from creating child processes and prevent executable content from email client and webmail.
- Enable SmartScreen and Application Control. Ensure Windows SmartScreen is active and consider Windows Defender Application Control (WDAC) or AppLocker policies to restrict execution of untrusted binaries.
- User training. Brief end users on the risk of unexpected email attachments, especially files with double extensions or unfamiliar icons.
Detection
- Email gateway logs: Monitor for inbound emails containing
.urlattachments, particularly from external senders. - Endpoint detection: Look for processes spawned by
explorer.exeorshell32.dllin response to.urlfile opens that subsequently connect to remote SMB shares or WebDAV paths. - Mark-of-the-Web audit: Scan user download directories for
.urlfiles that lack the expected Zone.Identifier alternate data stream, which may indicate tampering. - SIEM correlation: Correlate CISA KEV CVE-2024-21412 with endpoint alerts, email logs, and proxy/DNS requests to suspicious domains.
Assessment
CVE-2024-21412 is a textbook example of why "security feature bypass" vulnerabilities demand urgent attention. An EPSS of 0.95443 places it in the top 0.14% of all CVEs by probability of exploitation, and its presence on the CISA KEV catalog with confirmed ransomware use leaves no ambiguity about real-world threat level.
Key lessons:
- MotW is a single layer — not a panacea. When attackers find ways to bypass taint tracking, the downstream protections collapse. Defense in depth remains essential.
- Patch velocity matters. This vulnerability was exploited on the day of disclosure (2024-02-13). Organizations with even modest patching delays were exposed to ransomware delivery.
References
Frequently asked questions
- What is CVE-2024-21412?
- Internet Shortcut Files Security Feature Bypass Vulnerability
- How severe is CVE-2024-21412?
- CVE-2024-21412 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2024-21412 being actively exploited?
- Yes. CVE-2024-21412 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-02-13, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-21412?
- CVE-2024-21412 primarily affects Microsoft Windows 10 1809. In total, 9 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-21412?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-21412 have an EU (EUVD) identifier?
- Yes. CVE-2024-21412 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-19121. It is also flagged as exploited in the EUVD (since 2024-02-13).
- When was CVE-2024-21412 published?
- CVE-2024-21412 was published on 2024-02-13 and last updated on 2026-06-17.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21412
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21412
Affected products (9)
- cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 10 1809
- CVE-2025-49708 — Critical (CVSS 9.9): Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges over a network.
- CVE-2026-47291 — Critical (CVSS 9.8): Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network.
- CVE-2026-44815 — Critical (CVSS 9.8): Stack-based buffer overflow in Windows DHCP Client allows an unauthorized attacker to execute code over a network.
- CVE-2026-33824 — Critical (CVSS 9.8): Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.
- CVE-2025-60724 — Critical (CVSS 9.8): Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a…
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
All CVEs affecting Microsoft Windows 10 1809 →
Other CWE-693 (Protection Mechanism Failure) vulnerabilities
- CVE-2026-47140 — Critical (CVSS 10.0): vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins…
- CVE-2026-34208 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects…
- CVE-2026-34938 — Critical (CVSS 10.0): PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs…
- CVE-2026-2761 — Critical (CVSS 10.0): Sandbox escape in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33,…
- CVE-2022-32845 — Critical (CVSS 10.0): This issue was addressed with improved checks. This issue is fixed in watchOS 8.7, iOS 15.6 and iPadOS 15.6, macOS…
- CVE-2026-45102 — Critical (CVSS 9.9): OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm…
Browse all CWE-693 (Protection Mechanism Failure) vulnerabilities →