CVE-2024-21412

CVE-2024-21412 is a high-severity vulnerability in Microsoft Windows 10 1809 with a CVSS 3.x base score of 8.1. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-02-13). The underlying weakness is classified as CWE-693.

Key facts

Description

Internet Shortcut Files Security Feature Bypass Vulnerability

CVE-2024-21412: Internet Shortcut Files Security Feature Bypass — Actively Exploited in the Wild

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2024-21412
Published 2024-02-13
Last Modified 2026-06-17
CVSS v3.1 8.1 (HIGH) — AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE CWE-693: Protection Mechanism Failure
EPSS 0.95443 (99.86th percentile)
CISA KEV Listed — added 2024-02-13
EU Exploited Yes — EUVD-2024-19121, since 2024-02-13
Ransomware Use Confirmed
Vendor Microsoft

Summary

CVE-2024-21412 is a security feature bypass vulnerability in the way Microsoft Windows handles Internet Shortcut (.url) files. By crafting a malicious shortcut, an attacker can circumvent Mark-of-the-Web (MotW) protections and other security controls, leading to arbitrary code execution or data exfiltration. The vulnerability has been actively exploited in the wild since its disclosure date and is associated with ransomware campaigns.

Background

Internet Shortcut files (.url) are a legacy Windows feature that allows users to store web links as discrete files on disk. When opened, Windows resolves the URL and launches the default browser. Over the years, these files have been abused in social-engineering attacks because they appear benign to non-technical users and can carry embedded commands or redirect to attacker-controlled resources. Microsoft has progressively hardened the handling of such files via Mark-of-the-Web (MotW) taint tracking and Protected View, but bypass techniques continue to emerge.

Root Cause — CWE-693: Protection Mechanism Failure

The root cause lies in a failure of the Windows security mechanism responsible for enforcing MotW and sandbox restrictions on Internet Shortcut files. Specifically, the parsing logic for .url files does not adequately validate or propagate security zone identifiers under certain conditions, allowing a crafted file to masquerade as locally trusted content. This effectively neuters the protections designed to prevent untrusted files from executing without user warning.

CWE-693 captures this class of vulnerability: a protection mechanism exists but fails to operate correctly in a specific code path, leaving the system exposed.

Impact

With a CVSS v3.1 score of 8.1 (HIGH), this vulnerability is rated severe:

Metric Value Interpretation
Attack Vector (AV) Network Can be exploited remotely
Attack Complexity (AC) Low No special conditions required
Privileges Required (PR) None No user account needed
User Interaction (UI) Required Victim must open the file
Scope (S) Unchanged Impact limited to the vulnerable component
Confidentiality (C) High Sensitive data can be exfiltrated
Integrity (I) High Data or system state can be modified
Availability (A) None No direct denial-of-service effect

Real-world impact: Because the flaw bypasses MotW, phishing emails delivering malicious .url attachments can trigger code execution even when the file originated from the internet. The CISA KEV listing, EU exploitation flag, and confirmed ransomware use all indicate that this is not merely theoretical — it is a documented infection vector.

Exploitation Walkthrough (Defensive Perspective)

Ethics caveat: The following describes the generic attack flow at a high level for defensive awareness only. No weaponized exploit code is provided, and the information is drawn from public advisories.

  1. Reconnaissance: The attacker identifies a target organization and crafts a phishing email themed around a legitimate service or internal process.
  2. Delivery: An innocent-looking .url file is attached to the email. The file's visible name may be disguised (e.g., Invoice_Feb2024.pdf.url).
  3. Social engineering: The email urges the recipient to open the attachment to view a document or confirm a payment.
  4. Execution: When the victim opens the .url file, the MotW bypass allows the shortcut to launch a resource — often a remote SMB share, WebDAV path, or script — without triggering the usual security warnings.
  5. Post-exploitation: The attacker may deploy a remote access trojan, steal credentials, or drop ransomware.

Defensive takeaway: The entire chain depends on the user opening the attachment. Therefore, user awareness and attachment-blocking policies are critical compensating controls.

Affected and Patched Versions

The following Microsoft products are confirmed vulnerable based on CPE data:

  • Windows 10, version 1809
  • Windows 10, version 21H2
  • Windows 10, version 22H2
  • Windows 11, version 21H2
  • Windows 11, version 22H2
  • Windows 11, version 23H2
  • Windows Server 2019
  • Windows Server 2022
  • Windows Server 2022, version 23H2

Microsoft released security updates in the February 2024 Patch Tuesday cycle. Systems patched via Windows Update or Microsoft Update Catalog on or after 2024-02-13 are no longer vulnerable.

Remediation

  1. Apply patches immediately. Install the February 2024 (or later) cumulative security updates from Microsoft for all affected Windows versions.
  2. Block .url attachments at the email gateway. Unless there is a documented business need, .url files should be stripped or quarantined by email security appliances.
  3. Enforce Attack Surface Reduction (ASR) rules. Enable Microsoft Defender ASR rules that block Office applications from creating child processes and prevent executable content from email client and webmail.
  4. Enable SmartScreen and Application Control. Ensure Windows SmartScreen is active and consider Windows Defender Application Control (WDAC) or AppLocker policies to restrict execution of untrusted binaries.
  5. User training. Brief end users on the risk of unexpected email attachments, especially files with double extensions or unfamiliar icons.

Detection

  • Email gateway logs: Monitor for inbound emails containing .url attachments, particularly from external senders.
  • Endpoint detection: Look for processes spawned by explorer.exe or shell32.dll in response to .url file opens that subsequently connect to remote SMB shares or WebDAV paths.
  • Mark-of-the-Web audit: Scan user download directories for .url files that lack the expected Zone.Identifier alternate data stream, which may indicate tampering.
  • SIEM correlation: Correlate CISA KEV CVE-2024-21412 with endpoint alerts, email logs, and proxy/DNS requests to suspicious domains.

Assessment

CVE-2024-21412 is a textbook example of why "security feature bypass" vulnerabilities demand urgent attention. An EPSS of 0.95443 places it in the top 0.14% of all CVEs by probability of exploitation, and its presence on the CISA KEV catalog with confirmed ransomware use leaves no ambiguity about real-world threat level.

Key lessons:

  1. MotW is a single layer — not a panacea. When attackers find ways to bypass taint tracking, the downstream protections collapse. Defense in depth remains essential.
  2. Patch velocity matters. This vulnerability was exploited on the day of disclosure (2024-02-13). Organizations with even modest patching delays were exposed to ransomware delivery.

References

Frequently asked questions

What is CVE-2024-21412?
Internet Shortcut Files Security Feature Bypass Vulnerability
How severe is CVE-2024-21412?
CVE-2024-21412 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability none.
Is CVE-2024-21412 being actively exploited?
Yes. CVE-2024-21412 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-02-13, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-21412?
CVE-2024-21412 primarily affects Microsoft Windows 10 1809. In total, 9 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2024-21412?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-21412 have an EU (EUVD) identifier?
Yes. CVE-2024-21412 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-19121. It is also flagged as exploited in the EUVD (since 2024-02-13).
When was CVE-2024-21412 published?
CVE-2024-21412 was published on 2024-02-13 and last updated on 2026-06-17.

References

Affected products (9)

More vulnerabilities in Microsoft Windows 10 1809

All CVEs affecting Microsoft Windows 10 1809 →

Other CWE-693 (Protection Mechanism Failure) vulnerabilities

Browse all CWE-693 (Protection Mechanism Failure) vulnerabilities →