NAVANEM
CVE-2024-43491

Microsoft Windows Update, servicing-stack rollback enables RCE on Windows 10 1507

Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015).

Overview

CVE-2024-43491 is a critical vulnerability in the Microsoft Windows Update servicing stack affecting Windows 10 version 1507 (the initial release from July 2015), including Enterprise LTSB (Long-Term Servicing Branch) and IoT editions. The vulnerability caused the servicing stack to incorrectly roll back previously applied security fixes for certain Optional Components, effectively reverting these components to their unpatched, vulnerable state. This silent regression re-exposed affected systems to multiple known remote code execution (RCE) vulnerabilities that had been previously remediated.

Technical Details

The root cause lies in how the Windows Update servicing stack processed cumulative updates for Optional Components on Windows 10 version 1507. When the September 2024 security update was applied, the servicing stack under-applied updates for specific Optional Components, restoring them to their pre-patch baseline state.

This rollback affected security fixes for multiple previously patched CVEs, including:

  • CVE-2018-8311 (Remote Code Execution)
  • CVE-2024-38014
  • Other vulnerabilities in Optional Components

The affected Optional Components had their security state silently degraded without any notification to administrators, making detection particularly challenging without explicit verification.

Impact

The impact of this vulnerability is severe for several reasons:

  1. Re-exposure to Known RCEs: Devices became vulnerable again to well-documented, weaponized exploits that attackers already understand how to leverage.

  2. Trust Model Violation: Windows 10 LTSB was specifically designed for environments requiring stability and cumulative patching guarantees-kiosks, ATMs, medical imaging systems, and industrial HMIs. This CVE fundamentally breaks the cumulative update trust model.

  3. Silent Regression: The rollback occurred without alerting administrators, meaning organizations may have believed their systems were protected when they were not.

While Microsoft reported no confirmed in-the-wild exploitation specific to this rollback mechanism, the re-exposed vulnerabilities themselves have known exploitation techniques available.

Mitigation

Microsoft has released specific updates to address this vulnerability:

  1. Apply KB5043936 (Servicing Stack Update) along with the September 2024 cumulative update
  2. Inventory all Windows 10 1507 LTSB and IoT devices in the environment
  3. Verify remediation by running Get-HotFix to confirm previously applied security KBs remain installed after applying the fix

Detection

Administrators should:

  • Audit Windows 10 1507 systems for the presence of KB5043936
  • Use Get-HotFix cmdlet to verify historical security updates remain applied
  • Monitor for any systems running Windows 10 version 1507 that may have regressed to vulnerable states