Overview
CVE-2024-43491 is a critical zero-day vulnerability discovered in Microsoft’s Windows Update system, which allows attackers to reverse previously applied security updates. This vulnerability, actively exploited in the wild, enables a form of “downgrade attack”, effectively nullifying security patches and exposing systems to older vulnerabilities. The flaw was first disclosed by Microsoft in September 2024, after being flagged as a critical issue with a CVSS severity score of 9.8/10, one of the highest possible ratings for a security flaw. The exploitation of this vulnerability puts older versions of Windows, particularly Windows 10 version 1507, at high risk, forcing urgent action from organizations to mitigate the threat.
Vulnerability Details
- CVE ID: CVE-2024-6387
- Description: The vulnerability resides within the Windows Servicing Stack, specifically affecting Windows 10 version 1507, including Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB. It allows attackers to roll back security updates applied to these systems, making them susceptible to previously patched vulnerabilities.
- Affected Versions: This vulnerability impacts Windows 10 version 1507 (initially released in July 2015) and versions that installed updates up to August 2024, including the Windows security update KB5035858 (OS Build 10240.20526). Newer Windows 10 versions remain unaffected.
Analysis
The core issue behind CVE-2024-43491 is a flaw in the Windows Update mechanism. The vulnerability allows for “rollback attacks” or “downgrade attacks,” where attackers revert operating systems to a previous state where they were vulnerable to older exploits. These attacks bypass integrity checks and can falsely signal that the system is fully updated, even though key patches are removed. This vulnerability was related to similar issues demonstrated at the 2024 Black Hat conference, where researchers showed how Microsoft’s update architecture could be exploited to downgrade OS components and bypass critical security layers.
Past Exploitation
Exploitation of CVE-2024-43491 has been documented in the wild, although Microsoft has not released specific indicators of compromise (IOCs) to track attacks. However, it is believed that attackers have already begun leveraging this flaw to bypass security measures in targeted systems. The rollback attack concept is particularly dangerous because it can make a system that was considered secure vulnerable again, potentially opening the door to known exploits that had already been mitigated.
This vulnerability is part of a broader trend in 2024, where Microsoft has had to deal with 21 zero-day attacks in its ecosystem, showcasing the increasing sophistication of attackers. The exploitation of CVE-2024-43491 fits into a wider landscape of threats where attackers are finding creative ways to bypass patches and undermine Windows’ built-in security features.
Take Action
To mitigate the risk posed by CVE-2024-43491, Microsoft has released a set of updates and advisories. Users of affected Windows versions must immediately install the Servicing Stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083) in the correct order to protect their systems from this vulnerability.
- Step 1: Install SSU KB5043936
- Step 2: Install Windows security update KB5043083
Failure to follow these steps could leave systems exposed to attacks, as the vulnerability directly undermines previous patches.
In addition to applying these updates, organizations should review their patch management procedures and consider enhanced monitoring for any unusual downgrade activity within their systems. Given the stealthy nature of these rollback attacks, thorough monitoring and quick patch application are essential to mitigate this critical threat.
Sources: