Security Advisory: Internet Shortcut Files Security Feature Bypass Vulnerability (CVE-2024-21412)

CVE-2024-21412 banner

On February 13, 2024, Microsoft released a critical patch for CVE-2024-21412, a vulnerability in Microsoft Defender SmartScreen related to internet shortcuts. This vulnerability has been actively exploited by the Water Hydra advanced persistent threat (APT) group, targeting financial market traders and deploying the DarkMe remote access trojan (RAT).

Understanding the Threat

Threat actors like Water Hydra exploit vulnerabilities such as CVE-2024-21412 to bypass security measures. They often leverage undisclosed zero-day vulnerabilities, emphasizing the need for proactive vulnerability identification and mitigation.

Impact and Mitigation

The exploitation of CVE-2024-21412 allows attackers to compromise Windows hosts, potentially leading to data breaches, financial losses, and operational disruptions. It is important that you update the latest security patch that Microsoft has released to make sure your systems are not affected by this Vulnerability. You may find the security patch here. Looking to the future, it is crucial for organizations to adopt a proactive approach to vulnerability management, threat intelligence monitoring, patch management, and incident response.

Below are a few best practices to keep in mind to help mitigate the risks posed by zero-day vulnerabilities moving forward:

  • Implement robust vulnerability management processes.
  • Monitor threat intelligence feeds for emerging threats.
  • Establish rigorous patch management procedures.
  • Develop and test incident response plans regularly.

By adopting these best practices, organizations can bolster their security posture against zero-day exploits and minimize the impact of potential attacks.

For Trend Micro Customers

Trend Micro, through its Zero Day Initiative (ZDI), actively identifies and mitigates vulnerabilities ahead of public patches. Trend Micro customers have been shielded from CVE-2024-21412 since January 17 through virtual patching. However, it is still best to update to the current patch that Microsoft has already released. The Trend Micro Virtual patching is not a permanent solution but a way to help give businesses more time to schedule when they can update and patch the proper Microsoft fix.

If you would like to learn more about the technical details, you can read it more on the Trend Micro Blog here. If you would like security consultation to know if you are safe from these vulnerabilities, you may contact us at