⚠ Actively exploited

Added to CISA KEV on 2024-07-09. Federal agencies required to patch by 2024-07-30. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2024-38112 — User Interface (UI) Misrepresentation of Critical Information in Microsoft Windows 10 Version 1507

CWE-451 — User Interface (UI) Misrepresentation of Critical Information CWE-22 — Path Traversal37 documents14 sources

Severity

7.5HIGHCNA

VulnCheck8.8

No vector

EPSS

93.0%

top 0.22%

CISA KEV

KEV

Added 2024-07-09

Due 2024-07-30

Exploit

Exploited in wild

Active exploitation observed

Affected products

Microsoft Windows 10 Version 1507 Microsoft Windows 10 Version 1607 Microsoft Windows 10 Version 1809 +11 more

Timeline

PublishedJul 9

KEV addedJul 9

KEV dueJul 30

Latest updateApr 1

CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Windows MSHTML Platform Spoofing Vulnerability Windows MSHTML Platform Spoofing Vulnerability

Affected Packages14 packages

▶CVEListV5microsoft/windows_server_201610.0.14393.0 — 10.0.14393.7159

▶CVEListV5microsoft/windows_server_201910.0.17763.0 — 10.0.17763.6054

▶CVEListV5microsoft/windows_server_202210.0.20348.0 — 10.0.20348.2582

▶CVEListV5microsoft/windows_server_2012_r26.3.9600.0 — 6.3.9600.22074

▶CVEListV5microsoft/windows_10_version_150710.0.10240.0 — 10.0.10240.20710

🔴Vulnerability Details

CVEList

Windows MSHTML Platform Spoofing Vulnerability↗2024-07-09

▶

VulnCheck

Microsoft Windows MSHTML Platform Spoofing Vulnerability↗2024

▶

VulnCheck

Microsoft Windows MSHTML Platform Spoofing Vulnerability↗2024

▶

VulnCheck

Microsoft Windows SmartScreen Security Feature Bypass Vulnerability↗2023

▶

VulnCheck

Microsoft MSHTML Remote Code Execution Vulnerability↗2021

▶

📋Vendor Advisories

CISA

Microsoft Windows MSHTML Platform Spoofing Vulnerability↗2024-09-16

▶

Microsoft

Windows MSHTML Platform Spoofing Vulnerability↗2024-09-10

▶

CISA

Microsoft Windows MSHTML Platform Spoofing Vulnerability↗2024-07-09

▶

Microsoft

Windows MSHTML Platform Spoofing Vulnerability↗2024-07-09

▶

🕵️Threat Intelligence

Tenable

Microsoft Patch Tuesday 2024 Year in Review↗2024-12-10

▶

Securelist

Exploits and vulnerabilities in Q3 2024↗2024-12-06

▶

Securelist

Analyzing the vulnerability landscape in Q3 2024↗2024-12-06

▶

Tenable

Microsoft’s October 2024 Patch Tuesday Addresses 117 CVEs (CVE-2024-43572, CVE-2024-43573)↗2024-10-08

▶

Bleepingcomputer

CISA warns of Windows flaw used in infostealer malware attacks↗2024-09-16

▶

📄Research Papers

arXiv

LLM-Assisted Proactive Threat Intelligence for Automated Reasoning↗2025-04-01

▶

External resources

NVD MITRE CISA KEV

Affected products14

Microsoft Windows 10 Version 1507≥ 10.0.10240.0, < 10.0.10240.20710

Microsoft Windows 10 Version 1607≥ 10.0.14393.0, < 10.0.14393.7159

Microsoft Windows 10 Version 1809≥ 10.0.17763.0, < 10.0.17763.6054

Microsoft Windows 10 Version 21h2≥ 10.0.19043.0, < 10.0.19044.4651

Microsoft Windows 10 Version 22h2≥ 10.0.19045.0, < 10.0.19045.4651

Microsoft Windows 11 Version 21h2≥ 10.0.0, < 10.0.22000.3079

Microsoft Windows 11 Version 22h2≥ 10.0.22621.0, < 10.0.22621.3880

Microsoft Windows 11 Version 22h3≥ 10.0.22631.0, < 10.0.22631.3880

Microsoft Windows 11 Version 23h2≥ 10.0.22631.0, < 10.0.22631.3880

Microsoft Windows Server 2008 Service Pack 2≥ 6.0.6003.0, < 6.0.6003.22769

Disclosure

PublishedJul 9, 2024

KEV addedJul 9, 2024

KEV dueJul 30, 2024

Latest updateApr 1, 2025