Windows SmartScreen Security Feature Bypass Vulnerability

CVE-2023-36025

8.8HIGH

Key Information

Vendor: Microsoft
Status: Windows 10 Version 1809; Windows Server 2019; Windows Server 2019 (server Core Installation); Windows Server 2022
Vendor: CVE Published:; 14 November 2023

Badges

😄 Trended👾 Exploit Exists🔴 Public PoC📰 News Worthy

Summary

CVE-2023-36025 is a critical vulnerability in the Windows SmartScreen security feature that allows attackers to bypass Windows Defender SmartScreen checks without triggering alerts. The flaw can be exploited by getting users to click on a maliciously crafted Internet shortcut or a link pointing to such a file. Once exploited, this could lead to successful phishing attacks, malware distribution, and other cybersecurity threats. Exploitation by APT Group TA544 has been observed, as well as reports of a financially motivated group abusing the flaw to distribute the Ursnif banking Trojan. This is the third zero-day bug in SmartScreen that Microsoft has disclosed this year, indicating the significance and potential widespread impact of the issue. Exploitation of this vulnerability poses a significant threat as it can lead to users' systems being hijacked and compromised, potentially resulting in data breaches and further spread of malware. It's crucial for organizations to promptly address this vulnerability to mitigate these risks.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-36025 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Windows 10 Version 1809 < 10.0.17763.5122

Windows Server 2019 < 10.0.17763.5122

Windows Server 2019 (Server Core installation) < 10.0.17763.5122

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-36025
Created by ka7ana

test_CVE-2023-36025
Created by J466Y

-EXPLOIT-CVE-2023-36025
Created by coolman6942o

News Articles

Dark Reading

CVE-2023-36025CVE-2023-24880

Exploit for Critical Windows Defender Bypass Goes Public

8 months ago

Cyber Security News

CVE-2023-36025

Hackers Exploiting Windows Defender SmartScreen Flaw to Hijack Computers

Hackers actively target and exploit Windows Defender SmartScreen to deceive users and deliver malicious content by creating convincing, misleading websites or applications.

8 months ago

Infosecurity Magazine

CVE-2023-36025

Phemedrone Stealer Targets Windows Defender Flaw Despite Patch

The malware targets browsers, steals crypto wallet and messaging app data, and collects system information

8 months ago

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit exists.
May 29, 2024
Vulnerability started trending.
Jan 19, 2024
First article discovered by Dark Reading
Dec 21, 2023
Vulnerability published.
Nov 14, 2023
Vulnerability Reserved.
Jun 20, 2023

Collectors

NVD DatabaseMitre DatabaseCISA DatabaseMicrosoft Feed3 Proof of Concept(s)12 News Article(s)