Description
Insufficient verification of data authenticity in Windows App Installer allows an unauthorized attacker to perform spoofing over a network.
Published: 2026-03-10
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Spoofing / Impersonation
Action: Patch Now
AI Analysis

Impact

Insufficient verification of data authenticity in Windows App Installer allows an unauthorized attacker to perform spoofing over a network. This vulnerability is a classic data authenticity failure (CWE-345). The primary impact is the ability to impersonate legitimate app installers, undermining trust in update delivery.

Affected Systems

The affected products are Microsoft Windows App Client for Windows Desktop. No specific version information is supplied, meaning all current installations of this product may be vulnerable until a vendor update is applied.

Risk and Exploitability

CVSS score 5.9 indicates moderate severity. EPSS score is less than 1%, suggesting low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is network-based spoofing of installation data, but no detailed exploitation path is disclosed.

Generated by OpenCVE AI on March 17, 2026 at 00:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Windows App Client update from Microsoft

Generated by OpenCVE AI on March 17, 2026 at 00:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows App
CPEs cpe:2.3:a:microsoft:windows_app:*:*:*:*:*:windows:*:*
Vendors & Products Microsoft windows App

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Insufficient verification of data authenticity in Windows App Installer allows an unauthorized attacker to perform spoofing over a network.
Title Windows App Installer Spoofing Vulnerability
First Time appeared Microsoft
Microsoft windows App Client For Windows Desktop
Weaknesses CWE-345
CPEs cpe:2.3:a:microsoft:windows_app_client_for_windows_desktop:*:*:*:*:*:windows:*:*
Vendors & Products Microsoft
Microsoft windows App Client For Windows Desktop
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows App Windows App Client For Windows Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-03-27T22:32:55.728Z

Reserved: 2026-01-14T16:59:33.462Z

Link: CVE-2026-23656

cve-icon Vulnrichment

Updated: 2026-03-11T14:52:53.052Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:13.900

Modified: 2026-03-12T19:15:00.713

Link: CVE-2026-23656

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:34:21Z

Weaknesses