cbcvebase.
CVE-2023-32049
published 2023-07-11

CVE-2023-32049: Windows SmartScreen Security Feature Bypass Vulnerability

PriorityP182high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-08-01
Exploited in the wild
EPSS
4.40%
90.1th percentile
Windows SmartScreen Security Feature Bypass Vulnerability

Affected

25 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10_1607< 10.0.14393.608510.0.14393.6085
microsoftwindows_10_1809< 10.0.17763.464510.0.17763.4645
microsoftwindows_10_21h2< 10.0.19041.320810.0.19041.3208
microsoftwindows_10_22h2< 10.0.19045.320810.0.19045.3208
microsoftwindows_10_version_1607>= 10.0.14393.0 < 10.0.14393.608510.0.14393.6085
microsoftwindows_10_version_1809>= 10.0.0 < 10.0.17763.464510.0.17763.4645
microsoftwindows_10_version_1809>= 10.0.17763.0 < 10.0.17763.464510.0.17763.4645
microsoftwindows_10_version_21h2>= 10.0.19043.0 < 10.0.19044.320810.0.19044.3208
microsoftwindows_10_version_22h2>= 10.0.19045.0 < 10.0.19045.320810.0.19045.3208
microsoftwindows_11_21h2< 10.0.22000.217610.0.22000.2176
microsoftwindows_11_22h2< 10.0.22621.199210.0.22621.1992
microsoftwindows_11_version_21h2>= 10.0.0 < 10.0.22000.217610.0.22000.2176
microsoftwindows_11_version_22h2>= 10.0.22621.0 < 10.0.22621.199210.0.22621.1992
microsoftwindows_server_2016>= 10.0.14393.0 < 10.0.14393.608510.0.14393.6085
microsoftwindows_server_2019>= 10.0.17763.0 < 10.0.17763.464510.0.17763.4645
microsoftwindows_server_2022>= 10.0.20348.0 < 10.0.20348.185010.0.20348.1850
msrcwindows_10_version_1607
msrcwindows_10_version_1809
msrcwindows_10_version_21h2
msrcwindows_10_version_22h2
msrcwindows_11_version_21h2
msrcwindows_11_version_22h2
msrcwindows_server_2016
msrcwindows_server_2019
msrcwindows_server_2022

Detection & IOCsextracted from sources · hover to see the quote

hash07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d
hash1a7bb878c826fe0ca9a0677ed072ee9a57a228a09ee02b3c5bd00f54f354930f
hash3a3138c5add59d2172ad33bc6761f2f82ba344f3d03a2269c623f22c1a35df97
hasha61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f
hashe7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539
ip74.50.94.156
ip104.234.239.26
ip94.232.40.34
ip66.23.226.102
filenamestart.xml
  • Detect child processes spawned by Microsoft Office applications on Windows, which may indicate exploitation of CVE-2023-36884 chained with CVE-2023-32049
  • The attacker exploits CVE-2023-32049 by having the user click a specially crafted URL, bypassing the Open File - Security Warning prompt; monitor for SmartScreen bypass events triggered by URL-based file opens
  • The C2/payload delivery IPs are associated with TOR/VPN infrastructure; the second-stage payload is approximately 24 KB and is a Microsoft Word file
  • ·The SHA256 hashes and IP addresses listed are associated with the broader Storm-0978/RomCom campaign (CVE-2023-36884 chain) and are not exclusively tied to CVE-2023-32049 alone; CVE-2023-32049 is assessed to be used in combination with CVE-2023-35311 and CVE-2023-36884

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.