Security readout for executives and security teams
Plain-English summary
This is a Windows App Installer spoofing flaw used in phishing-driven malware delivery. A user must be persuaded to open a malicious package or attachment. Successful abuse can expose data, alter systems, and disrupt availability. Microsoft and CISA both indicate real-world exploitation, so this is an operational risk, not just a theoretical bug.
Executive priority
Prioritize remediation across Windows fleets because this CVE is in CISA KEV and tied to known malware delivery. Focus first on high-risk user populations, externally exposed email workflows, and endpoints where users have elevated rights. Treat vendor guidance as authoritative for exact update and mitigation requirements.
Technical view
CVE-2021-43890 affects Microsoft App Installer. The CVSS 3.1 score is 7.1, with network attack vector, high attack complexity, low privileges, and required user interaction. Microsoft reports malicious packages associated with Emotet, Trickbot, and Bazaloader, and later misuse of the ms-appinstaller URI scheme by financially motivated actors.
Likely exposure
Exposure is most likely on Windows endpoints with Microsoft App Installer present, especially where users receive external email or web links. Risk is higher where ms-appinstaller handling is enabled, users can install packages, and accounts have administrative rights. The source bundle names App Installer version 1.0.0.0 but does not provide a complete affected-version matrix.
Exploitation context
Active exploitation is supported by CISA KEV status and Microsoft reporting. Attacks rely on social engineering and phishing, using specially crafted packages or attachments. Microsoft also reported increased abuse of the ms-appinstaller URI scheme in late 2023 and changed App Installer to disable that protocol by default.
Researcher notes
The evidence supports exploited phishing-based abuse, not unauthenticated remote compromise. User interaction is required, and lower-privilege users may reduce impact. Sources do not provide exploit details here, and they should not be recreated. The strongest validation path is version, protocol-handler, endpoint telemetry, and mail-delivery review.
Mitigation direction
- Install Microsoft’s updated App Installer or follow current MSRC guidance.
- Verify ms-appinstaller protocol handling is disabled unless explicitly required.
- Apply Microsoft’s documented mitigations and workarounds for this CVE.
- Limit local administrative rights for standard users.
- Strengthen phishing controls for attachments, links, and package installers.
Validation and detection
- Inventory Windows endpoints with Microsoft App Installer installed.
- Confirm App Installer is updated according to Microsoft guidance.
- Check whether ms-appinstaller protocol handling remains enabled.
- Review endpoint detections for suspicious App Installer or MSIX activity.
- Review mail and web telemetry for related phishing delivery patterns.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-2021-43890 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- High
- CVSS
- 7.1 (3.1)
- Known Exploited
- Yes
- Published
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CISA KEV status
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C1.25.9Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
7.1HighVector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Source materials
- CVE List V5 sourceCVE List V5
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890CVE reference · x_refsource_MISC
- https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/CVE reference
- https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.htmlCVE reference
- https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/CVE reference
- https://github.com/ChrisTitusTech/winutil/pull/26CVE reference
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43890CVE reference · government-resource
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
