CVE-2024-43491 Overview
CVE-2024-43491 is a remote code execution vulnerability in the Microsoft Windows Servicing Stack affecting Windows 10, version 1507. The Servicing Stack rolled back fixes for previously mitigated vulnerabilities in Optional Components, re-exposing affected systems to exploitation. Systems that installed the March 12, 2024 security update (KB5035858, OS Build 10240.20526) through August 2024 updates are vulnerable. Only Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB editions remain in scope, as Windows 10 1507 reached end of support in May 2017 for other editions. Microsoft addressed the issue through the September 2024 Servicing Stack Update (KB5043936) and Windows security update (KB5043083).
Critical Impact
Attackers can exploit previously patched Optional Component vulnerabilities over the network without authentication or user interaction, leading to full system compromise.
Affected Products
- Microsoft Windows 10 Enterprise 2015 LTSB (version 1507, x64 and x86)
- Microsoft Windows 10 IoT Enterprise 2015 LTSB (version 1507)
- Windows 10 1507 systems with KB5035858 or any update released through August 2024
Discovery Timeline
- 2024-09-10 - CVE-2024-43491 published to the National Vulnerability Database
- 2024-09-10 - Microsoft releases SSU KB5043936 and security update KB5043083
- 2024-09-26 - Last updated in NVD database
Technical Details for CVE-2024-43491
Vulnerability Analysis
The vulnerability resides in the Windows Servicing Stack, the component responsible for installing Windows updates. The Servicing Stack incorrectly reverted security fixes for several Optional Components on Windows 10 version 1507 systems. After installing KB5035858 or later updates through August 2024, the build version reports as patched while the underlying binaries for Optional Components revert to pre-patch states.
Microsoft associates the issue with a Use-After-Free condition [CWE-416]. Optional Components affected include features such as Active Directory Lightweight Directory Services, XPS Viewer, Internet Explorer 11, LPD Print Service, Microsoft-Windows-MSMQ-Server, and Windows Media Player, among others.
Attackers can leverage any of the re-introduced vulnerabilities that previously carried network-exploitable attack surfaces. The CWE-416 designation indicates one or more of the rolled-back fixes addressed memory corruption issues exploitable for remote code execution.
Root Cause
The root cause is a defect in the Servicing Stack logic that determines which component versions to apply during cumulative update installation. The stack selected older, vulnerable binaries for Optional Components instead of preserving the patched versions, effectively reintroducing fixed flaws while leaving the OS build number unchanged.
Attack Vector
Exploitation depends on which rolled-back Optional Component an attacker targets. Network-facing components such as MSMQ and LPD Print Service expose remote attack surfaces reachable without prior authentication. The EPSS score of 18.18% (95th percentile) reflects an elevated likelihood of exploit activity compared to typical CVEs.
Because the affected SKUs are LTSB editions deployed in industrial, embedded, and long-life enterprise environments, exposed services often persist on internal networks for extended periods. Attackers scanning for legacy Windows 10 1507 hosts can identify candidates and target whichever rolled-back vulnerability matches the enabled Optional Components.
No public proof-of-concept code is currently associated with CVE-2024-43491, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2024-43491
Indicators of Compromise
- Windows 10 1507 systems reporting OS Build 10240.20526 or any build between March 2024 and August 2024 without the September 2024 SSU and LCU installed
- Unexpected processes spawned by Optional Component services such as mqsvc.exe (MSMQ), lpdsvc, or wmplayer.exe
- Outbound network connections from Optional Component binaries to untrusted hosts
Detection Strategies
- Inventory Windows 10 version 1507 endpoints and verify installation of KB5043936 (SSU) followed by KB5043083 (LCU)
- Audit installed Optional Components using DISM /online /Get-Features and disable any that are not required
- Correlate update history in %SystemRoot%\Logs\CBS\CBS.log to confirm successful application of the September 2024 servicing stack update
Monitoring Recommendations
- Alert on exploitation patterns historically associated with legacy Optional Components, including anomalous RPC, SMB, and MSMQ traffic to LTSB hosts
- Track child-process creation from Internet Explorer, Windows Media Player, and XPS Viewer on LTSB endpoints
- Continuously monitor patch compliance for LTSB fleets, which often fall outside standard patch cadence reporting
How to Mitigate CVE-2024-43491
Immediate Actions Required
- Install the September 2024 Servicing Stack Update KB5043936 first, then the September 2024 cumulative security update KB5043083, in that exact order
- Identify all Windows 10 1507 LTSB and IoT LTSB systems in the environment and prioritize them for patching
- Disable unused Optional Components on affected hosts to reduce exposure to any rolled-back vulnerability
Patch Information
Microsoft published remediation guidance in the Microsoft CVE-2024-43491 Advisory. The fix requires two updates applied sequentially: the servicing stack update KB5043936 followed by the cumulative security update KB5043083. Installing the LCU without the SSU will not restore the previously patched state of the Optional Components.
Workarounds
- Segment Windows 10 1507 LTSB systems on isolated network zones with strict ingress and egress filtering until both September 2024 updates are applied
- Remove or disable non-essential Optional Components using DISM to shrink the exploitable surface
- Restrict legacy protocols including SMBv1, LPD, and MSMQ at the network boundary for affected hosts
# Verify and install the required September 2024 updates on Windows 10 1507
# 1. Confirm current OS build
wmic os get BuildNumber,Version
# 2. Install the Servicing Stack Update FIRST
wusa.exe Windows10.0-KB5043936-x64.msu /quiet /norestart
# 3. Install the cumulative security update SECOND
wusa.exe Windows10.0-KB5043083-x64.msu /quiet /norestart
# 4. Reboot and validate
shutdown /r /t 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
