What is Windows AppX Installer?
The Windows AppX Installer (App Installer, ms-appinstaller: protocol) is a Windows component that manages installation of MSIX packages — the modern Windows application packaging format used by the Windows Store and enterprise app distribution. The ms-appinstaller: URI scheme allows links on web pages and in documents to trigger the AppX Installer to download and install MSIX packages directly. While designed for legitimate app deployment, this capability has been extensively abused for malware delivery: malicious links disguised as software downloads trigger AppX Installer, which displays a trusted-looking installation dialog. The spoofing vulnerability made this even more effective by allowing malicious packages to impersonate trusted publishers.
Overview
CVE-2021-43890 is a spoofing vulnerability in the Windows AppX Installer. The vulnerability allows an attacker to create malicious MSIX installer packages that appear to have been signed by a legitimate, trusted publisher when presented in the AppX Installer dialog — even when they are not. Users who encounter the malicious installer see a dialog that appears to come from a trusted organization (e.g., Microsoft Teams, Adobe, or other familiar software), bypassing the visual trust indicators designed to warn users about unsigned or untrusted packages. Microsoft identified active exploitation by Emotet and BazaLoader malware distribution groups who used this technique to deploy their payloads. CISA added this to KEV on the same day as the patch — a zero-day at time of patch release.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Windows 10 with App Installer (ms-appinstaller scheme enabled) | Yes | December 2021 update |
| Windows 11 | Yes | December 2021 update |
Technical Details
The AppX Installer spoofing vulnerability allows attacker-controlled metadata in an MSIX package to override or bypass the publisher verification display in the installation UI:
- Root cause: Spoofing — the AppX Installer does not adequately validate publisher identity information in certain MSIX package metadata fields before displaying it to users in the installation UI
- User trust manipulation: The installer dialog shows an attacker-supplied display name that can impersonate trusted publishers (e.g., "Microsoft Corporation" or "Adobe Systems") even when the MSIX package is not actually signed by those organizations
- Social engineering amplification: The
ms-appinstaller:URI scheme allows web pages to trigger the AppX Installer with a single click, and the spoofed publisher name in the dialog persuades users to proceed with installation - User interaction required (UI:R): The victim must click through the installation dialog — but the spoofed publisher display makes this significantly more likely
- Malware delivery: After clicking through the dialog, the malicious MSIX package installs malware (Emotet, BazaLoader, IcedID, and others) on the system
Discovery
Discovered by Microsoft's security teams during analysis of active Emotet and BazaLoader campaigns. Microsoft reported simultaneous zero-day exploitation at the time of the patch.
Exploitation Context
The December 2021 period marked the Emotet relaunch — after takedown by Europol in January 2021, Emotet returned in November 2021 and adopted the MSIX AppInstaller delivery method (alongside other techniques). BazaLoader (used by TrickBot/Conti operators) also leveraged this technique for initial access leading to ransomware deployment. The spoofing made the delivery significantly more effective as users saw familiar, trusted publisher names in the installer prompt. Microsoft subsequently disabled the ms-appinstaller protocol handler in some configurations to reduce abuse of this attack surface.
Remediation
- Apply December 2021 Patch Tuesday cumulative update to address CVE-2021-43890
- Microsoft also released a policy to disable the
ms-appinstallerURI scheme handler — consider enabling this Group Policy setting to prevent web-based MSIX installation:Computer Configuration\Administrative Templates\Windows Components\App Package Deployment\Allow all trusted apps to install - Train users to be skeptical of unexpected software installation prompts, even those showing trusted publisher names
- Deploy application allowlisting (Windows Defender Application Control or AppLocker) to prevent unauthorized MSIX packages from installing
- Review installed applications for unexpected MSIX packages installed around the time of the vulnerability's exploitation window
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-43890 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2021-12-15 |
| NVD Last Modified | 2026-02-25 |
| CVSS 3.1 Score | 7.1 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CISA KEV Added | 2021-12-15 |
| CISA KEV Deadline | 2021-12-29 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-12-14 | Microsoft patches CVE-2021-43890 in December 2021 Patch Tuesday |
| 2021-12-15 | CVE published; CISA adds to KEV on same day — confirms zero-day exploitation |
| 2021-12 | Microsoft identifies Emotet and BazaLoader as threat groups exploiting MSIX AppInstaller for malware delivery |
| 2021-12-29 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2021-43890 | Vendor Advisory |
| Microsoft — Analysis of CVE-2021-43890 and New MSIX AppInstaller Attacks | Security Research |
| NVD — CVE-2021-43890 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |