Cyber Resilience

CVE-2021-43890

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 15 December 2021

Published
15 December 2021
Modified
25 February 2026
KEV Added
15 December 2021
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.2524 96.3th percentile
Risk Priority 49 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-43890 is a high-severity an unspecified weakness vulnerability in Microsoft App Installer. Its CVSS base score is 7.1 (High).

Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-43890 is a spoofing vulnerability in the AppX installer component of Microsoft Windows. It allows specially crafted MSIX packages to bypass expected validation when delivered through the ms-appinstaller URI scheme, enabling attackers to present malicious installers that appear legitimate.

An attacker can exploit the issue by sending phishing messages containing malicious attachments or links that invoke the App Installer. Successful exploitation requires the victim to open the attachment or URI; once executed, the package can install malware such as Emotet, Trickbot, or Bazaloader. Accounts running with standard user rights are less likely to be fully compromised than those with administrative privileges.

Microsoft’s December 2023 security update disables the ms-appinstaller protocol handler by default and provides links to updated App Installer packages. Advisories recommend applying the latest App Installer update, reviewing the published mitigations and workarounds, and restricting protocol handlers where possible.

Public reporting confirms ongoing exploitation by financially motivated actors who combine social-engineering lures with the ms-appinstaller scheme, prompting the recent default-disable change.

EU & UK References

Vulnerability details

We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader. An…

more

attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Please see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section. Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability. December 27 2023 Update: In recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. To address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.

CWE(s)
KEV Date Added
15 December 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
app installer
≤ 1.16 · ≤ 1.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Disabling the ms-appinstaller URI scheme by default directly removes the attack vector used to deliver spoofed malicious MSIX packages.

prevent

Applying the App Installer security update eliminates the validation bypass flaw that allows crafted packages to spoof legitimacy.

prevent

Running users without administrative rights limits the scope of compromise when a malicious package is successfully installed.

References