⚠ Actively exploited
Added to CISA KEV on 2024-05-14. Federal agencies required to patch by 2024-06-04. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2024-30040Improper Input Validation in Microsoft Windows 10 Version 1507

CWE-20Improper Input ValidationCWE-203Observable Discrepancy19 documents12 sources
Severity
8.8HIGHNVD
EPSS
23.5%
top 4.01%
CISA KEV
KEV
Added 2024-05-14
Due 2024-06-04
Exploit
Exploited in wild
Active exploitation observed
Affected products
21
Microsoft Windows 10 Version 1507Microsoft Windows 10 Version 1607Microsoft Windows 10 Version 1809+18 more
Timeline
PublishedMay 14
KEV addedMay 14
KEV dueJun 4
Latest updateOct 8
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Windows MSHTML Platform Security Feature Bypass Vulnerability

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages21 packages

NVDmicrosoft/windows< 10.0.14393.6981+3
NVDmicrosoft/windows_10_1507< 10.0.10240.20651
NVDmicrosoft/windows_10_1607< 10.0.14393.6981
NVDmicrosoft/windows_10_1809< 10.0.17763.5820
NVDmicrosoft/windows_10_21h2< 10.0.19044.4412

Patches

Patch: msrc.microsoft.comPatch: msrc.microsoft.com

🔴Vulnerability Details

3
GHSA
GHSA-mmh4-cvwv-5vmm: Windows MSHTML Platform Security Feature Bypass Vulnerability2024-05-14
CVEList
Windows MSHTML Platform Security Feature Bypass Vulnerability2024-05-14
VulnCheck
Microsoft Windows MSHTML Platform Security Feature Bypass Vulnerability2024

📋Vendor Advisories

2
Microsoft
Windows MSHTML Platform Security Feature Bypass Vulnerability2024-05-14
CISA
Microsoft Windows MSHTML Platform Security Feature Bypass Vulnerability2024-05-14

🕵️Threat Intelligence

13
Tenable
Microsoft’s October 2024 Patch Tuesday Addresses 117 CVEs (CVE-2024-43572, CVE-2024-43573)2024-10-08
Qualys
Microsoft and Adobe Patch Tuesday, May 2024 Security Update Review2024-05-14
Krebs
Patch Tuesday, May 2024 Edition2024-05-14
Trendmicro
The May 2024 Security Update Review2024-05-14
Krebs
Patch Tuesday, May 2024 Edition2024-05-14
CVE-2024-30040 — Improper Input Validation in Microsoft | cvebase