cbcvebase.
CVE-2024-43491
published 2024-09-10

CVE-2024-43491: Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
12.13%
95.6th percentile
Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability. This servicing stack vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order. Note: Windows 10, version 1507 reached the end of support (EOS) on May 9, 2017 for devices running the Pro, Home, Enterprise, Education, and Enterprise IoT editions. Only Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB editions are still under support.

Affected

5 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10_1507< 10.0.10240.2076610.0.10240.20766
microsoftwindows_10_1507<= 10.0.10240.20766
microsoftwindows_10_version_1507>= 10.0.10240.0 < 10.0.10240.2076610.0.10240.20766
msrcwindows_10_for_32-bit_systems
msrcwindows_10_for_x64-based_systems

Detection & IOCsextracted from sources · hover to see the quote

otherKB5043936
otherKB5043083
  • Target systems are Windows 10 version 1507 (OS Build 10240.20526 or later through August 2024 updates) with one or more vulnerable Optional Components enabled. Enumerate Optional Components to identify exposure.
  • Vulnerable optional components to check for on affected hosts include: .NET Framework 4.6/ASP.NET 4.6, Active Directory Lightweight Directory Services, Internet Explorer 11, IIS/World Wide Web Services, SMB 1.0/CIFS File Sharing Support, MSMQ Server Core, MSMQ HTTP Support, LPD Print Service, Windows Media Player, Work Folders Client, XPS Viewer, Windows Fax and Scan, MultiPoint Connector, Administrative Tools.
  • The root cause is a code defect in the Windows 10 v1507 servicing stack triggered when build version numbers crossed a specific range, causing Optional Components to be detected as 'not applicable' and reverted to RTM. Detection should focus on identifying unpatched Optional Components on affected builds.
  • CVE-2024-43491 is marked Exploitation Detected because the rollback reintroduced previously exploited CVEs — not because CVE-2024-43491 itself was exploited in the wild. Prioritize patching systems running KB5035858 through August 2024 updates.
  • Remediation requires installing SSU KB5043936 FIRST, then security update KB5043083, in that specific order, on affected Windows 10 v1507 systems.
  • ·Only Windows 10 version 1507 (Enterprise 2015 LTSB and IoT Enterprise 2015 LTSB) is affected. All later versions of Windows 10 (released since November 2015) are NOT impacted.
  • ·Systems configured for automatic updates do not require manual intervention — they will receive both KB5043936 and KB5043083 automatically.
  • ·If any security update between March and August 2024 was already installed, the Optional Component fix rollback has already occurred and cannot be prevented retroactively — only the September 2024 updates restore the fixes.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.