CVE-2021-43890
published 2021-12-15CVE-2021-43890: We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to…
PriorityP185high7.1CVSS 3.1
AVNACHPRLUIRSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2021-12-29
Exploited in the wild
EPSS
10.29%
95.1th percentile
We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.
An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Please see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section.
Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability.
December 27 2023 Update:
In recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme.
To address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | app_installer | < 1.16 | 1.16 |
| microsoft | app_installer | < 1.11 | 1.11 |
| microsoft | app_installer | >= 1.0.0.0 < publication | publication |
| msrc | app_installer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for use of the ms-appinstaller URI scheme handler being invoked, particularly from browser processes, as threat actors are leveraging it to deliver malware via phishing campaigns. ↗
- →Detect AppX installer launching from user-opened email attachments or browser downloads; exploitation involves specially crafted .appx/.msix packages delivered via phishing. ↗
- →Alert on AppX installer activity associated with known malware families Emotet, Trickbot, and BazaLoader; these families have been observed being delivered via exploitation of this vulnerability. ↗
- →Check App Installer version; versions prior to build 1.21.3421.0 have the ms-appinstaller URI scheme enabled by default and are vulnerable. ↗
- →Monitor for silent/hidden subframe protocol invocations of ms-appinstaller in browser traffic, which may indicate a drive-by exploitation attempt. ↗
- ·The ms-appinstaller protocol is only disabled by default in App Installer build 1.21.3421.0 or greater; older versions remain vulnerable unless the protocol is explicitly disabled via Group Policy (EnableMSAppInstallerProtocol = Disabled), which requires version 1.17.10633.0 or greater. ↗
- ·Customers running Windows 10 version 1709 or 1803 must use a different (older) installer build (1.11) and cannot use the same mitigation path as Windows 10 1809+ or Windows 11 users. ↗
- ·The BlockNonAdminUserInstall GPO workaround only prevents non-admin users from installing packages; administrator users remain able to install AppX packages and could still be targeted. ↗
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
vulncheck7.1HIGH
cisa7.1HIGH
vendor_msrc7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulnCheck
Microsoft Windows AppX Installer Spoofing Vulnerability
vulncheck·2021·CVSS 7.1
CVE-2021-43890 [HIGH] Microsoft Windows AppX Installer Spoofing Vulnerability
Microsoft Windows AppX Installer Spoofing Vulnerability
Microsoft Windows AppX Installer contains a spoofing vulnerability which has a high impacts to confidentiality, integrity, and availability.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2021-Dec; https://www.darkreading.com/vulnerabilities-threats/microsoft-patches-zero-day-spreading-emotet-malware; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/a233a4d7728c
Remediation Due: 2021-12-29
CISA
Microsoft Windows AppX Installer Spoofing Vulnerability
cisa·2021-12-15·CVSS 7.1
CVE-2021-43890 [HIGH] Microsoft Windows AppX Installer Spoofing Vulnerability
Vulnerability: Microsoft Windows AppX Installer Spoofing Vulnerability
Affected: Microsoft Windows
Microsoft Windows AppX Installer contains a spoofing vulnerability which has a high impacts to confidentiality, integrity, and availability.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-43890
Remediation Due Date: 2021-12-29
Microsoft
Windows AppX Installer Spoofing Vulnerability
vendor_msrc·2021-12-14·CVSS 7.1
CVE-2021-43890 [HIGH] Windows AppX Installer Spoofing Vulnerability
Windows AppX Installer Spoofing Vulnerability
Description: We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.
An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Please see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer
No detection rules found.
No public exploits indexed.
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Tenable
Cybersecurity Snapshot: 6 Things That Matter Right Now
blogs_tenable·2022-08-19
Cybersecurity Snapshot: 6 Things That Matter Right Now
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021
blogs_tenable·2022-08-04
Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Qualys
Microsoft & Adobe Patch Tuesday (December 2021) – Microsoft 83 Vulnerabilities With 7 Critical, 1 Actively Exploited. Adobe 60 Vulnerabilities, 28 Critical.
blogs_qualys·2021-12-14·CVSS 9.8
[CRITICAL] Microsoft & Adobe Patch Tuesday (December 2021) – Microsoft 83 Vulnerabilities With 7 Critical, 1 Actively Exploited. Adobe 60 Vulnerabilities, 28 Critical.
## Table of Contents
Microsoft Patch Tuesday December 2021
Microsoft Vulnerabilities To Be Prioritized and Patched Quickly.
Adobe Patch Tuesday December 2021
Discover and Prioritize Patch Tuesday Vulnerabilities in VMDR
Respond by Patching
Patch Tuesday Dashboard
Webinar Series: This Month in Vulnerabilities and Patches
About Patch Tuesday
Contributor
## Microsoft Patch Tuesday – December 2021
Microsoft patched 83 vulnerabilities in their December 2021 Patch Tuesday release, of which seven are rated as critical severity. This month’s release includes one Zero Day known to be actively exploited.
Products impacted by Microsoft’s December security update include Microsoft Office, Microsoft PowerShell, the Chromium-based Edge browser, the Windows Kernel, Print Spooler, and Remote D
Krebs
Microsoft Patch Tuesday, December 2021 Edition
blogs_krebs·2021-12-14
Microsoft Patch Tuesday, December 2021 Edition
Microsoft, Adobe, and Google all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that is already being actively exploited. But this month’s Patch Tuesday is overshadowed by the “Log4Shell” 0-day exploit in a popular Java library that web server administrators are now racing to find and patch amid widespread exploitation of the flaw.
Log4Shell is the name picked for a critical flaw disclosed Dec. 9 in the popular logging library for Java called “log4j,” which is included in a huge number of Java applications. Publicly released exploit code allows an attacker to force a server running a vulnerable log4j library to execute commands, such as downloading malicious software or opening a backdoor connection to the se
Krebs
Microsoft Patch Tuesday, December 2021 Edition
blogs_krebs·2021-12-14
Microsoft Patch Tuesday, December 2021 Edition
Microsoft , Adobe , and Google all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that is already being actively exploited. But this month’s Patch Tuesday is overshadowed by the “ Log4Shell ” 0-day exploit in a popular Java library that web server administrators are now racing to find and patch amid widespread exploitation of the flaw.
Log4Shell is the name picked for a critical flaw disclosed Dec. 9 in the popular logging library for Java called “ log4j ,” which is included in a huge number of Java applications. Publicly released exploit code allows an attacker to force a server running a vulnerable log4j library to execute commands, such as downloading malicious software or opening a backdoor connection to
Tenable
Microsoft’s December 2021 Patch Tuesday Addresses 67 CVEs (CVE-2021-43890)
blogs_tenable·2021-12-14·CVSS 7.1
[HIGH] Microsoft’s December 2021 Patch Tuesday Addresses 67 CVEs (CVE-2021-43890)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Microsoft & Adobe Patch Tuesday (December 2021) – Microsoft 83 Vulnerabilities With 7 Critical, 1 Actively Exploited. Adobe 60 Vulnerabilities, 28 Critical. | Qualys
blogs_qualys·2021-12-14·CVSS 9.8
[CRITICAL] Microsoft & Adobe Patch Tuesday (December 2021) – Microsoft 83 Vulnerabilities With 7 Critical, 1 Actively Exploited. Adobe 60 Vulnerabilities, 28 Critical. | Qualys
#### Table of Contents
- Microsoft Patch Tuesday December 2021
- Microsoft Vulnerabilities To Be Prioritized and Patched Quickly.
- Adobe Patch Tuesday December 2021
- Discover and Prioritize Patch Tuesday Vulnerabilities in VMDR
- Respond by Patching
- Patch Tuesday Dashboard
- Webinar Series: This Month in Vulnerabilities and Patches
- About Patch Tuesday
- Contributor
## Microsoft Patch Tuesday – December 2021
Microsoft patched 83 vulnerabilities in their December 2021 Patch Tuesday release, of which seven are rated as critical severity. This month’s release includes one Zero Day known to be actively exploited.
Products impacted by Microsoft’s December security update include Microsoft Office, Microsoft PowerShell, the Chromium-based Edge browser, the Windows Kernel, Print Spooler,
Crowdstrike
December 2021 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] December 2021 Patch Tuesday: Updates and Analysis
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
https://github.com/ChrisTitusTech/winutil/pull/26https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.htmlhttps://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/https://github.com/ChrisTitusTech/winutil/pull/26https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.htmlhttps://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43890
2021-12-15
Published
2021-12-15
Added to CISA KEV
Exploited in the wild