CVE-2024-43491: 
vulnerability analysis and mitigation

Microsoft has identified a vulnerability in the Servicing Stack (CVE-2024-43491) that affects Windows 10 version 1507 systems. This vulnerability has caused the rollback of previously implemented security fixes for Optional Components, specifically impacting Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB systems that installed the Windows security update KB5035858 released on March 12, 2024, or other updates released until August 2024. The vulnerability was disclosed in September 2024 and has been assigned a CVSS v3.1 base score of 9.8 (Critical) (NVD).

The vulnerability is classified as a Use-After-Free (CWE-416) issue that affects the Windows Update system. It received a Critical severity rating with a CVSS v3.1 score of 9.8, indicating high impacts on confidentiality, integrity, and availability. The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N) (NVD).

The vulnerability allows attackers to exploit previously mitigated vulnerabilities on affected Windows 10 version 1507 systems. This effectively reopens security gaps that were previously patched, potentially exposing systems to various forms of attacks that were previously addressed (NVD).

Microsoft has released mitigation steps requiring the installation of two updates in a specific order: first, the September 2024 Servicing stack update (SSU KB5043936), followed by the September 2024 Windows security update (KB5043083). It's important to note that this vulnerability only affects Windows 10 version 1507, specifically the Enterprise 2015 LTSB and IoT Enterprise 2015 LTSB editions that are still under support (NVD).