CVE-2024-43461
Published: 10 September 2024
Summary
CVE-2024-43461 is a high-severity User Interface (UI) Misrepresentation of Critical Information (CWE-451) vulnerability in Microsoft Windows 10 22H2. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 6.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
Deeper analysis
CVE-2024-43461 is a spoofing vulnerability in the Windows MSHTML Platform that carries a CVSS 3.1 score of 8.8. The flaw is tracked under CWE-451 and affects the MSHTML rendering engine used by multiple Windows components for processing web content.
An unauthenticated remote attacker can exploit the issue by serving specially crafted content that a user must interact with, such as through a web browser or application embedding MSHTML. Successful exploitation allows the attacker to spoof user interface elements, potentially leading to high impacts on confidentiality, integrity, and availability.
Microsoft’s advisory at msrc.microsoft.com details available patches, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild and requiring prioritized remediation.
EPSS for the vulnerability rose from a low baseline after disclosure to a peak of 0.1624 on 2024-09-18 before receding to the current value of 0.0990, indicating a measurable increase in observed exploitation interest following public release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-40730
Vulnerability details
Windows MSHTML Platform Spoofing Vulnerability
- CWE(s)
- KEV Date Added
- 16 September 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.