LiveActive security incident?Get immediate response
CVE Record

CVE-2021-43890: Windows AppX Installer Spoofing Vulnerability

We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader. An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Please see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section. Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability. December 27 2023 Update: In recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. To address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.

HighCVSS 7.1Known exploitedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This is a Windows App Installer spoofing flaw used in phishing-driven malware delivery. A user must be persuaded to open a malicious package or attachment. Successful abuse can expose data, alter systems, and disrupt availability. Microsoft and CISA both indicate real-world exploitation, so this is an operational risk, not just a theoretical bug.

Executive priority

Prioritize remediation across Windows fleets because this CVE is in CISA KEV and tied to known malware delivery. Focus first on high-risk user populations, externally exposed email workflows, and endpoints where users have elevated rights. Treat vendor guidance as authoritative for exact update and mitigation requirements.

Technical view

CVE-2021-43890 affects Microsoft App Installer. The CVSS 3.1 score is 7.1, with network attack vector, high attack complexity, low privileges, and required user interaction. Microsoft reports malicious packages associated with Emotet, Trickbot, and Bazaloader, and later misuse of the ms-appinstaller URI scheme by financially motivated actors.

Likely exposure

Exposure is most likely on Windows endpoints with Microsoft App Installer present, especially where users receive external email or web links. Risk is higher where ms-appinstaller handling is enabled, users can install packages, and accounts have administrative rights. The source bundle names App Installer version 1.0.0.0 but does not provide a complete affected-version matrix.

Exploitation context

Active exploitation is supported by CISA KEV status and Microsoft reporting. Attacks rely on social engineering and phishing, using specially crafted packages or attachments. Microsoft also reported increased abuse of the ms-appinstaller URI scheme in late 2023 and changed App Installer to disable that protocol by default.

Researcher notes

The evidence supports exploited phishing-based abuse, not unauthenticated remote compromise. User interaction is required, and lower-privilege users may reduce impact. Sources do not provide exploit details here, and they should not be recreated. The strongest validation path is version, protocol-handler, endpoint telemetry, and mail-delivery review.

Mitigation direction

  • Install Microsoft’s updated App Installer or follow current MSRC guidance.
  • Verify ms-appinstaller protocol handling is disabled unless explicitly required.
  • Apply Microsoft’s documented mitigations and workarounds for this CVE.
  • Limit local administrative rights for standard users.
  • Strengthen phishing controls for attachments, links, and package installers.

Validation and detection

  • Inventory Windows endpoints with Microsoft App Installer installed.
  • Confirm App Installer is updated according to Microsoft guidance.
  • Check whether ms-appinstaller protocol handling remains enabled.
  • Review endpoint detections for suspicious App Installer or MSIX activity.
  • Review mail and web telemetry for related phishing delivery patterns.
Prepared
Confidence
high
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2021-43890 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.1 (3.1)
Known Exploited
Yes
Published

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
7Source links

CISA KEV status

Status
Known exploited
Source
CISA / ADP
Date added
Not provided

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.1CVSS 3.1HighCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C1.25.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

7.1High
CVSS 3.1 vector shape for CVE-2021-43890Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
MicrosoftApp Installer1.0.0.0Listed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.