CVE-2023-32049
published 2023-07-11CVE-2023-32049: Windows SmartScreen Security Feature Bypass Vulnerability
PriorityP182high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-08-01
Exploited in the wild
EPSS
4.40%
90.1th percentile
Windows SmartScreen Security Feature Bypass Vulnerability
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10_1607 | < 10.0.14393.6085 | 10.0.14393.6085 |
| microsoft | windows_10_1809 | < 10.0.17763.4645 | 10.0.17763.4645 |
| microsoft | windows_10_21h2 | < 10.0.19041.3208 | 10.0.19041.3208 |
| microsoft | windows_10_22h2 | < 10.0.19045.3208 | 10.0.19045.3208 |
| microsoft | windows_10_version_1607 | >= 10.0.14393.0 < 10.0.14393.6085 | 10.0.14393.6085 |
| microsoft | windows_10_version_1809 | >= 10.0.0 < 10.0.17763.4645 | 10.0.17763.4645 |
| microsoft | windows_10_version_1809 | >= 10.0.17763.0 < 10.0.17763.4645 | 10.0.17763.4645 |
| microsoft | windows_10_version_21h2 | >= 10.0.19043.0 < 10.0.19044.3208 | 10.0.19044.3208 |
| microsoft | windows_10_version_22h2 | >= 10.0.19045.0 < 10.0.19045.3208 | 10.0.19045.3208 |
| microsoft | windows_11_21h2 | < 10.0.22000.2176 | 10.0.22000.2176 |
| microsoft | windows_11_22h2 | < 10.0.22621.1992 | 10.0.22621.1992 |
| microsoft | windows_11_version_21h2 | >= 10.0.0 < 10.0.22000.2176 | 10.0.22000.2176 |
| microsoft | windows_11_version_22h2 | >= 10.0.22621.0 < 10.0.22621.1992 | 10.0.22621.1992 |
| microsoft | windows_server_2016 | >= 10.0.14393.0 < 10.0.14393.6085 | 10.0.14393.6085 |
| microsoft | windows_server_2019 | >= 10.0.17763.0 < 10.0.17763.4645 | 10.0.17763.4645 |
| microsoft | windows_server_2022 | >= 10.0.20348.0 < 10.0.20348.1850 | 10.0.20348.1850 |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_21h2 | — | — |
| msrc | windows_10_version_22h2 | — | — |
| msrc | windows_11_version_21h2 | — | — |
| msrc | windows_11_version_22h2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
| msrc | windows_server_2022 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect child processes spawned by Microsoft Office applications on Windows, which may indicate exploitation of CVE-2023-36884 chained with CVE-2023-32049 ↗
- →The attacker exploits CVE-2023-32049 by having the user click a specially crafted URL, bypassing the Open File - Security Warning prompt; monitor for SmartScreen bypass events triggered by URL-based file opens ↗
- →The C2/payload delivery IPs are associated with TOR/VPN infrastructure; the second-stage payload is approximately 24 KB and is a Microsoft Word file ↗
- ·The SHA256 hashes and IP addresses listed are associated with the broader Storm-0978/RomCom campaign (CVE-2023-36884 chain) and are not exclusively tied to CVE-2023-32049 alone; CVE-2023-32049 is assessed to be used in combination with CVE-2023-35311 and CVE-2023-36884 ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Defender SmartScreen Security Feature Bypass Vulnerability
cisa·2023-07-11·CVSS 8.8
CVE-2023-32049 [HIGH] Microsoft Windows Defender SmartScreen Security Feature Bypass Vulnerability
Vulnerability: Microsoft Windows Defender SmartScreen Security Feature Bypass Vulnerability
Affected: Microsoft Windows
Microsoft Windows Defender SmartScreen contains a security feature bypass vulnerability that allows an attacker to bypass the Open File - Security Warning prompt.
Required Action: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable.
Notes: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-32049; https://nvd.nist.gov/vuln/detail/CVE-2023-32049
Remediation Due Date: 2023-08-01
Microsoft
Windows SmartScreen Security Feature Bypass Vulnerability
vendor_msrc·2023-07-11·CVSS 8.8
CVE-2023-32049 [HIGH] Windows SmartScreen Security Feature Bypass Vulnerability
Windows SmartScreen Security Feature Bypass Vulnerability
FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability?
The attacker would be able to bypass the Open File - Security Warning prompt.
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
The user would have to click on a specially crafted URL to be compromised by the attacker.
Windows SmartScreen: Windows SmartScreen
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Security Feature Bypass
Exploit Status: Publicly Disclosed:No;Exploited:Yes;Latest Software Release:Exploitation Detected;DOS:N/A
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5028168
Reference: https://support.microsoft.c
GHSA
GHSA-8q3q-pcch-j42x: Windows SmartScreen Security Feature Bypass Vulnerability
ghsa_unreviewed·2023-07-11
CVE-2023-32049 [HIGH] GHSA-8q3q-pcch-j42x: Windows SmartScreen Security Feature Bypass Vulnerability
Windows SmartScreen Security Feature Bypass Vulnerability
VulnCheck
Microsoft Windows Defender SmartScreen Security Feature Bypass Vulnerability
vulncheck·2023·CVSS 8.8
CVE-2023-32049 [HIGH] Microsoft Windows Defender SmartScreen Security Feature Bypass Vulnerability
Microsoft Windows Defender SmartScreen Security Feature Bypass Vulnerability
Microsoft Windows Defender SmartScreen contains a security feature bypass vulnerability that allows an attacker to bypass the Open File - Security Warning prompt.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2023-Jul; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2023-08-01
No detection rules found.
No public exploits indexed.
Tenable
Microsoft’s February 2024 Patch Tuesday Addresses 73 CVEs (CVE-2024-21351, CVE-2024-21412)
blogs_tenable·2024-02-13·CVSS 7.6
[HIGH] Microsoft’s February 2024 Patch Tuesday Addresses 73 CVEs (CVE-2024-21351, CVE-2024-21412)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Krebs
Fat Patch Tuesday, February 2024 Edition
blogs_krebs·2024-02-13·CVSS 5.4
CVE-2024-21412 [MEDIUM] Fat Patch Tuesday, February 2024 Edition
Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.
Top of the heap on this Fat Patch Tuesday is CVE-2024-21412, a “security feature bypass” in the way Windows handles Internet Shortcut Files that Microsoft says is being targeted in active exploits. Redmond’s advisory for this bug says an attacker would need to convince or trick a user into opening a malicious shortcut file.
Researchers at Trend Micro have tied the ongoing exploitation of CVE-2024-21412 to an advanced persistent threat group dubbed “Water Hydra,” which they say has being using the vulnerability to execute a malicious Microsoft Installer File (.msi)
Krebs
Fat Patch Tuesday, February 2024 Edition
blogs_krebs·2024-02-13·CVSS 5.4
CVE-2024-21412 [MEDIUM] Fat Patch Tuesday, February 2024 Edition
Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.
Top of the heap on this Fat Patch Tuesday is CVE-2024-21412 , a “security feature bypass” in the way Windows handles Internet Shortcut Files that Microsoft says is being targeted in active exploits. Redmond’s advisory for this bug says an attacker would need to convince or trick a user into opening a malicious shortcut file.
Researchers at Trend Micro have tied the ongoing exploitation of CVE-2024-21412 to an advanced persistent threat group dubbed “ Water Hydra ,” which they say has being using the vulnerability to execute a malicious Microsoft Installer File (.m
Tenable
Microsoft’s November 2023 Patch Tuesday Addresses 57 CVEs (CVE-2023-36025)
blogs_tenable·2023-11-14·CVSS 8.8
[HIGH] Microsoft’s November 2023 Patch Tuesday Addresses 57 CVEs (CVE-2023-36025)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Evaluate Your Windows Endpoints for Storm-0978 Activity With Qualys Endpoint Security
blogs_qualys·2023-07-14·CVSS 7.8
CVE-2023-32046 [HIGH] Evaluate Your Windows Endpoints for Storm-0978 Activity With Qualys Endpoint Security
## Table of Contents
Summary:
Remediation:
Vulnerability Analysis:
Exploit Detection using Qualys EDR:
VMDR:
Related IOCs:
## Summary:
On July 11, Microsoft released security bulletins to fix 132 vulnerabilities. With the July Patch Tuesday, Microsoft also remediated six zero-day vulnerabilities . For your quick reference, the following are the zero-day vulnerabilities:
CVE-2023-32046 – Windows MSHTML Platform Elevation of Privilege Vulnerability
CVE-2023-32049 – Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2023-36874 – Windows Error Reporting Service Elevation of Privilege Vulnerability
CVE-2023-36884 – Office and Windows HTML Remote Code Execution Vulnerability
CVE-2023-35311 – Microsoft Outlook Security Feature Bypass Vulnerability
ADV230001 – Guidance on
Qualys
Evaluate Your Windows Endpoints for Storm-0978 Activity With Qualys Endpoint Security | Qualys
blogs_qualys·2023-07-14·CVSS 7.8
CVE-2023-32046 [HIGH] Evaluate Your Windows Endpoints for Storm-0978 Activity With Qualys Endpoint Security | Qualys
#### Table of Contents
- Summary:
- Remediation:
- Vulnerability Analysis:
- Exploit Detection using Qualys EDR:
- VMDR:
- Related IOCs:
## Summary:
On July 11, Microsoft released security bulletins to fix 132 vulnerabilities. With the July Patch Tuesday, Microsoft also remediated six zero-day vulnerabilities. For your quick reference, the following are the zero-day vulnerabilities:
1. CVE-2023-32046 – Windows MSHTML Platform Elevation of Privilege Vulnerability
2. CVE-2023-32049 – Windows SmartScreen Security Feature Bypass Vulnerability
3. CVE-2023-36874 – Windows Error Reporting Service Elevation of Privilege Vulnerability
4. CVE-2023-36884 – Office and Windows HTML Remote Code Execution Vulnerability
5. CVE-2023-35311 – Microsoft Outlook Security Feature Bypass Vulnerability
6. ADV
Krebs
Apple & Microsoft Patch Tuesday, July 2023 Edition
blogs_krebs·2023-07-12·CVSS 7.8
[HIGH] Apple & Microsoft Patch Tuesday, July 2023 Edition
Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.
On July 10, Apple pushed a “Rapid Security Response” update to fix a code execution flaw in the Webkit browser component built into iOS, iPadOS, and macOS Ventura. Almost as soon as the patch went out, Apple pulled the software because it was reportedly causing problems loading certain websites. MacRumors says Apple will likely re-release the patches when the glitch
Talos
Microsoft discloses more than 130 vulnerabilities as part of July’s Patch Tuesday, four exploited in the wild
blogs_talos·2023-07-11·CVSS 7.8
[HIGH] Microsoft discloses more than 130 vulnerabilities as part of July’s Patch Tuesday, four exploited in the wild
Microsoft released its monthly security update Tuesday, disclosing the most vulnerabilities as part of Patch Tuesday in more than a year.
The company released details of more than 130 vulnerabilities, the most in a month since April 2022, 10 of which are considered to be critical. The remaining vulnerabilities are “important.”
Microsoft also included an advisory in today’s Patch Tuesday that provides guidance to mitigate Microsoft-signed drivers that attackers are using maliciously in the wild. Talos recently discovered an attack that focuses on drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) being used maliciously in post-exploitation activity. Microsoft had been previously notified of this type of activity in February 2023, and Talos researchers recently rep
Krebs
Apple & Microsoft Patch Tuesday, July 2023 Edition
blogs_krebs·2023-07-11·CVSS 7.8
[HIGH] Apple & Microsoft Patch Tuesday, July 2023 Edition
Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.
On July 10, Apple pushed a “Rapid Security Response” update to fix a code execution flaw in the Webkit browser component built into iOS, iPadOS, and macOS Ventura. Almost as soon as the patch went out, Apple pulled the software because it was reportedly causing problems loading certain websites. MacRumors says Apple will likely re-release the patches when the glitch
Qualys
Microsoft and Adobe Patch Tuesday, July 2023 Security Update Review
blogs_qualys·2023-07-11·CVSS 7.8
[HIGH] Microsoft and Adobe Patch Tuesday, July 2023 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for July 2023
Adobe Patches for July 2023
Zero-day Vulnerabilities Patched in July Patch Tuesday Edition
Other Critical Severity Vulnerabilities Patched in July Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
Qualys Monthly Webinar Series
Microsoft has released July’s edition of Patch Tuesday! This installment of security updates addressed 132 security vulnerabilities in various products, features, and roles.
## Microsoft
Tenable
Microsoft’s July 2023 Patch Tuesday Addresses 130 CVEs (CVE-2023-36884)
blogs_tenable·2023-07-11·CVSS 7.5
[HIGH] Microsoft’s July 2023 Patch Tuesday Addresses 130 CVEs (CVE-2023-36884)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Microsoft and Adobe Patch Tuesday, July 2023 Security Update Review | Qualys
blogs_qualys·2023-07-11·CVSS 7.8
[HIGH] Microsoft and Adobe Patch Tuesday, July 2023 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for July 2023
- Adobe Patches for July 2023
- Zero-day Vulnerabilities Patched in July Patch Tuesday Edition
- Other Critical Severity Vulnerabilities Patched in July Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
- Qualys Monthly Webinar Series
Microsoft has released July’s edition of Patch Tuesday! This installment of security updates addressed 132 security vulnerabilities in various products, features, and roles.
Talos
Microsoft discloses more than 130 vulnerabilities as part of July’s Patch Tuesday, four exploited in the wild
blogs_talos·2023-07-11·CVSS 7.8
[HIGH] Microsoft discloses more than 130 vulnerabilities as part of July’s Patch Tuesday, four exploited in the wild
## Microsoft discloses more than 130 vulnerabilities as part of July’s Patch Tuesday, four exploited in the wild
Microsoft released its monthly security update Tuesday, disclosing the most vulnerabilities as part of Patch Tuesday in more than a year.
The company released details of more than 130 vulnerabilities, the most in a month since April 2022, 10 of which are considered to be critical. The remaining vulnerabilities are “important.”
Microsoft also included an advisory in today’s Patch Tuesday that provides guidance to mitigate Microsoft-signed drivers that attackers are using maliciously in the wild. Talos recently discovered an attack that focuses on drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) being used maliciously in post-exploitation activity. Mi
Crowdstrike
July 2023 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] July 2023 Patch Tuesday: Updates and Analysis
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
2023-07-11
Published
2023-07-11
Added to CISA KEV
Exploited in the wild