HighCISA KEVExploited in the wildPublic exploit

Windows MSHTML Platform Spoofing Vulnerability

IdentifiersCVE-2024-38112CWE-451· User Interface (UI)…

CVE-2024-38112 is a vulnerability in the Windows MSHTML platform that Microsoft classified as a spoofing issue, but multiple cited reports describe it as being exploited via the MHTML/MSHTML handling path to access and execute attacker-controlled files through the disabled-but-present Internet Explorer components on Windows. Public reporting indicates the exploit chain abused specially crafted .URL internet shortcut files, the MHTML protocol handler, and x-usc directives to invoke Internet Explorer/MSHTML and retrieve a malicious HTA/HTML payload, leading to execution of subsequent script and malware stages. The issue was exploited in the wild as a zero-day by the Void Banshee threat actor to deliver Atlantida stealer. Microsoft patched the issue in July 2024; reporting states the fix broke the attack chain by unregistering the MHTML handler from Internet Explorer.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause the victim system to open and execute attacker-controlled content in the context of the logged-on user after the victim launches a malicious file. In observed attacks, this enabled delivery and execution of multi-stage malware, culminating in Atlantida stealer, which performed credential theft, cookie theft, cryptocurrency wallet data theft, screenshot capture, desktop file collection, and exfiltration of stolen data. Impact therefore includes arbitrary payload delivery, user-context code execution, data theft, and follow-on compromise depending on the privileges of the affected user.

Mitigation

If you can’t patch tonight, do this now.

Until patching is complete, reduce exposure by blocking or tightly controlling execution of untrusted .URL, .HTA, and other internet-delivered shortcut/scriptable file types; prevent users from opening files received via email, cloud-sharing links, Discord, compromised websites, or other untrusted sources; enforce least privilege so exploitation occurs in a lower-privileged user context; and use endpoint protection/behavioral controls to detect suspicious invocation of Internet Explorer/MSHTML, HTA execution, PowerShell download cradles, and process injection behavior. Additional hardening of legacy Internet Explorer/MSHTML components where operationally feasible may further reduce risk.

Remediation

Patch, then assume compromise.

Apply Microsoft's July 2024 security updates for CVE-2024-38112. Supporting reporting states Microsoft's remediation broke the exploit chain by unregistering the MHTML handler from Internet Explorer. Organizations should ensure affected Windows systems are fully updated with the relevant cumulative/security updates and verify that the MSHTML/Internet Explorer-related fix is present across supported endpoints.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationWindows 10 1507operating_system

Microsoft CorporationWindows 10 1607operating_system

Microsoft CorporationWindows 10 1809operating_system

Microsoft CorporationWindows 10 21h2operating_system

Microsoft CorporationWindows 10 22h2operating_system

Microsoft CorporationWindows 11 21h2operating_system

Microsoft CorporationWindows 11 22h2operating_system

Microsoft CorporationWindows 11 23h2operating_system

Microsoft CorporationWindows Server 2008operating_system

Microsoft CorporationWindows Server 2008 Sp2operating_system

Microsoft CorporationWindows Server 2012operating_system

Microsoft CorporationWindows Server 2012 R2operating_system

Microsoft CorporationWindows Server 2016operating_system

Microsoft CorporationWindows Server 2019operating_system

Microsoft CorporationWindows Server 2022operating_system

Microsoft CorporationWindows Server 2022 23h2operating_system

Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

help net securityNews

Oct 8, 2024

Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572)

A Windows MSHTML vulnerability previously exploited as a zero-day (July 2024) and referenced as similar to CVE-2024-43573.

the hacker newsNews

Sep 11, 2024

Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws

A vulnerability exploited (in an attack chain with CVE-2024-43461) to deliver Atlantida stealer malware; patched by Microsoft in July 2024.

outpost24 blogNews

Aug 20, 2024

Threat Context monthly: Executive intelligence briefing for August 2024

A zero-day vulnerability in Internet Explorer's MSHTML engine that allows access and execution of files, exploited by threat actors to deploy information-stealing malware.

trend micro researchNews

Jul 15, 2024

CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks

A zero-day MSHTML remote code execution vulnerability in Windows that allowed attackers to abuse the MHTML protocol handler and x-usc directives via .URL files to access the disabled Internet Explorer process and execute malicious content.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence4

Every observed campaign linking this CVE to a named adversary.

Associated malware5

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2024-38112

NVD

nvd.nist.gov/vuln/detail/CVE-2024-38112

MITRE CWE · CWE-451

User Interface (UI) Misrepresentation of…

Patch

msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38112

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38112