Cyber Resilience

CVE-2024-43461

HighCISA KEVActive ExploitationEUVD Exploited

Published: 10 September 2024

Published
10 September 2024
Modified
28 October 2025
KEV Added
16 September 2024
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0990 93.2th percentile
Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43461 is a high-severity User Interface (UI) Misrepresentation of Critical Information (CWE-451) vulnerability in Microsoft Windows 10 22H2. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 6.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

Deeper analysis

CVE-2024-43461 is a spoofing vulnerability in the Windows MSHTML Platform that carries a CVSS 3.1 score of 8.8. The flaw is tracked under CWE-451 and affects the MSHTML rendering engine used by multiple Windows components for processing web content.

An unauthenticated remote attacker can exploit the issue by serving specially crafted content that a user must interact with, such as through a web browser or application embedding MSHTML. Successful exploitation allows the attacker to spoof user interface elements, potentially leading to high impacts on confidentiality, integrity, and availability.

Microsoft’s advisory at msrc.microsoft.com details available patches, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild and requiring prioritized remediation.

EPSS for the vulnerability rose from a low baseline after disclosure to a peak of 0.1624 on 2024-09-18 before receding to the current value of 0.0990, indicating a measurable increase in observed exploitation interest following public release.

EU & UK References

Vulnerability details

Windows MSHTML Platform Spoofing Vulnerability

CWE(s)
KEV Date Added
16 September 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.20766 · ≤ 10.0.10240.20766
microsoft
windows 10 1607
≤ 10.0.14393.7336 · ≤ 10.0.14393.7336
microsoft
windows 10 1809
≤ 10.0.17763.6293
microsoft
windows 10 21h2
≤ 10.0.19044.4894
microsoft
windows 10 22h2
≤ 10.0.19045.4894 · ≤ 10.0.19045.4894 · ≤ 10.0.19045.4894
microsoft
windows 11 21h2
≤ 10.0.22000.3197
microsoft
windows 11 22h2
≤ 10.0.22621.4169
microsoft
windows 11 23h2
≤ 10.0.22621.4169 · ≤ 10.0.22631.4169
microsoft
windows 11 24h2
≤ 10.0.26100.1742
microsoft
windows server 2008
all versions, r2
+5 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References