cbcvebase.
CVE-2024-38112
published 2024-07-09

CVE-2024-38112: Windows MSHTML Platform Spoofing Vulnerability Windows MSHTML Platform Spoofing Vulnerability

high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-07-30
Exploited in the wild
EPSS
84.34%
99.7th percentile
Windows MSHTML Platform Spoofing Vulnerability Windows MSHTML Platform Spoofing Vulnerability

Affected

31 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10_version_1507>= 10.0.10240.0 < 10.0.10240.2071010.0.10240.20710
microsoftwindows_10_version_1607>= 10.0.14393.0 < 10.0.14393.715910.0.14393.7159
microsoftwindows_10_version_1809>= 10.0.17763.0 < 10.0.17763.605410.0.17763.6054
microsoftwindows_10_version_21h2>= 10.0.19043.0 < 10.0.19044.465110.0.19044.4651
microsoftwindows_10_version_22h2>= 10.0.19045.0 < 10.0.19045.465110.0.19045.4651
microsoftwindows_11_version_21h2>= 10.0.0 < 10.0.22000.307910.0.22000.3079
microsoftwindows_11_version_22h2>= 10.0.22621.0 < 10.0.22621.388010.0.22621.3880
microsoftwindows_11_version_22h3>= 10.0.22631.0 < 10.0.22631.388010.0.22631.3880
microsoftwindows_11_version_23h2>= 10.0.22631.0 < 10.0.22631.388010.0.22631.3880
microsoftwindows_server_2008_service_pack_2>= 6.0.6003.0 < 6.0.6003.227696.0.6003.22769
microsoftwindows_server_2012_r2>= 6.3.9600.0 < 6.3.9600.220746.3.9600.22074
microsoftwindows_server_2016>= 10.0.14393.0 < 10.0.14393.715910.0.14393.7159
microsoftwindows_server_2019>= 10.0.17763.0 < 10.0.17763.605410.0.17763.6054
microsoftwindows_server_2022>= 10.0.20348.0 < 10.0.20348.258210.0.20348.2582
msrcwindows_10
msrcwindows_10_version_1607
msrcwindows_10_version_1809
msrcwindows_10_version_21h2
msrcwindows_10_version_22h2
msrcwindows_11_version_21h2
msrcwindows_11_version_22h2
msrcwindows_11_version_23h2
msrcwindows_11_version_24h2
msrcwindows_server_2008
msrcwindows_server_2008_r2

Detection & IOCsextracted from sources · hover to see the quote

hashc9f58d96ec809a75679ec3c7a61eaaf3adbbeb6613d667257517bdc41ecca9ae
filenameBooks_A0UJKO.pdf.url
hashd8824f643127c1d8f73028be01363fd77b2ecb050ebe8c17793633b9879d20eb
filenametest1.html
hash87480b151e465b73151220533c965f3a77046138f079ca3ceb961a7d5fee9a33
hashc85eedd51dced48b3764c2d5bdb8febefe4210a2d9611e0fb14ffc937b80e302
filenamebecome.txt
processiexplore.exe
filenameBooks_A0UJKO.pdf%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80.hta
commandirm (Invoke-RestMethod) alias and iex (Invoke-Expression)
bytes
%E2%A0%80
  • Detect .URL shortcut files containing the MHTML protocol handler combined with the x-usc! directive in the URL parameter — this is the core exploit mechanism for CVE-2024-38112.
  • Alert on iexplore.exe spawning child processes or making outbound network connections, especially to download HTA files — IE is disabled and should not be initiating such activity.
  • Hunt for HTA filenames containing 26 repeated encoded braille whitespace characters (%E2%A0%80) used to hide the .hta extension and masquerade as PDF files.
  • Detect VBScript within HTA files performing XOR decryption (key 4) followed by PowerShell execution — characteristic of Stage 3 of the Void Banshee chain.
  • Monitor for Win32_Process WMI class usage spawned from PowerShell scripts downloaded via irm/iex — used in Stage 3 to launch the next stage payload.
  • Look for internet shortcut (.URL) files with a PDF icon but .url extension distributed via zip archives — Void Banshee changed the default icon of an internet shortcut file to that of a PDF file.
  • Detect Windows Internet Shortcut files (.url extension) that, when clicked, invoke Internet Explorer (iexplore.exe) to visit attacker-controlled URLs rather than opening in Edge.
  • ·The MHTML handler has been unregistered from Internet Explorer as part of the July 2024 Patch Tuesday fix, meaning MHTML is no longer usable inside internet shortcut files on patched systems — detections targeting this vector are most relevant for unpatched hosts.
  • ·The CVE-2024-43461 fix for the braille whitespace extension-hiding technique is incomplete — whitespace is not stripped, only the actual .hta extension is now shown, which may still confuse users.
  • ·There is disagreement between the original discoverers (ZDI/Trend Micro) and Microsoft on the severity — ZDI classifies CVE-2024-38112 as a remote code execution vulnerability warranting a critical rating, while Microsoft disclosed it as a spoofing vulnerability with a lower CVSS score.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
cvelistv57.5HIGH
vulncheck8.8HIGH
cisa7.5HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.