cbcvebase.
CVE-2023-36025
published 2023-11-14

CVE-2023-36025: Windows SmartScreen Security Feature Bypass Vulnerability

PriorityP192high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-12-05
Exploited in the wild
EPSS
88.20%
99.7th percentile
Windows SmartScreen Security Feature Bypass Vulnerability

Affected

37 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10_version_1507>= 10.0.10240.0 < 10.0.10240.2030810.0.10240.20308
microsoftwindows_10_version_1607>= 10.0.14393.0 < 10.0.14393.645210.0.14393.6452
microsoftwindows_10_version_1809>= 10.0.0 < 10.0.17763.512210.0.17763.5122
microsoftwindows_10_version_1809>= 10.0.17763.0 < 10.0.17763.512210.0.17763.5122
microsoftwindows_10_version_21h2>= 10.0.19043.0 < 10.0.19043.369310.0.19043.3693
microsoftwindows_10_version_22h2>= 10.0.19045.0 < 10.0.19045.369310.0.19045.3693
microsoftwindows_11_version_21h2>= 10.0.0 < 10.0.22000.260010.0.22000.2600
microsoftwindows_11_version_22h2>= 10.0.22621.0 < 10.0.22621.271510.0.22621.2715
microsoftwindows_11_version_22h3>= 10.0.22631.0 < 10.0.22631.271510.0.22631.2715
microsoftwindows_11_version_23h2>= 10.0.22631.0 < 10.0.22631.271510.0.22631.2715
microsoftwindows_server_2008
microsoftwindows_server_2008_r2_service_pack_1>= 6.1.7601.0 < 6.1.7601.268166.1.7601.26816
microsoftwindows_server_2008_service_pack_2>= 6.0.6003.0 < 6.0.6003.223676.0.6003.22367
microsoftwindows_server_2012
microsoftwindows_server_2012>= 6.2.9200.0 < 6.2.9200.245696.2.9200.24569
microsoftwindows_server_2012_r2>= 6.3.9600.0 < 6.3.9600.216686.3.9600.21668
microsoftwindows_server_2016< 10.0.14393.645210.0.14393.6452
microsoftwindows_server_2016>= 10.0.14393.0 < 10.0.14393.645210.0.14393.6452
microsoftwindows_server_2019< 10.0.17763.512210.0.17763.5122
microsoftwindows_server_2019>= 10.0.17763.0 < 10.0.17763.512210.0.17763.5122
microsoftwindows_server_2022< 10.0.20348.211310.0.20348.2113
microsoftwindows_server_2022>= 10.0.20348.0 < 10.0.20348.211310.0.20348.2113
msrcwindows_10
msrcwindows_10_version_1607
msrcwindows_10_version_1809

Detection & IOCsextracted from sources · hover to see the quote

filename.url
pathC:\Users\Public\Libraries\Books
filenameWerFaultSecure.exe
filenamewer.dll
filenamesecure.pdf
filenameDATA3.txt
mutex5dad16bd-6884-4ab8-b182-a504b4c99bcf
port445
processrundll32.exe
processrundll32.exe spawning unexpected child processes after a user interacts with a shortcut file
hash237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
hash22EE095FA9456F878CFAFF8F2A4871EC550C4E9EE538975C1BBC7086CDE15EDE
hash1EA0E878E276481A6FAEAF016EC89231957B02CB55C3DD68F035B82E072E784B
  • Hunt for .URL files where the URL= parameter points to a UNC path (file:// or \\server\share\) rather than http:// or https://. This is the core exploit primitive for CVE-2023-36025.
  • Alert on outbound SMB (TCP 445) or WebDAV connections initiated immediately after a user opens a .URL or shortcut file — indicates payload retrieval from attacker-controlled share.
  • Detect rundll32.exe or ieframe.dll spawning unexpected child processes following user interaction with a .URL shortcut file.
  • Monitor for creation of the scheduled task named 'Licensing2' executing WerFaultSecure.exe from C:\Users\Public\Libraries\Books at 90-minute intervals — persistence mechanism used by Phemedrone Stealer.
  • Detect creation of directory C:\Users\Public\Libraries\Books containing wer.dll, secure.pdf, and WerFaultSecure.exe — hallmark of Phemedrone Stealer staging.
  • Hunt for the mutex value 5dad16bd-6884-4ab8-b182-a504b4c99bcf to identify active Phemedrone Stealer infections.
  • Flag .MSI files delivered via open redirect URLs (e.g., Google DoubleClick/DDM) that contain a ZIP archive exploiting CVE-2023-36025 in their path — used in DarkGate campaigns.
  • Monitor for WerFaultSecure.exe (legitimate binary) loading wer.dll from the same directory — DLL sideloading technique used by Phemedrone Stealer.
  • ·CVE-2023-36025 was patched by Microsoft on November 14, 2023 (Patch Tuesday). Exploitation was confirmed in the wild as a zero-day prior to patching, and CISA added it to the Known Exploited Vulnerabilities (KEV) list.
  • ·Patching CVE-2023-36025 did not fully stop exploitation; threat actors pivoted to CVE-2024-21412 as a bypass of the same patched component, demonstrating that patching alone is insufficient without defense-in-depth.
  • ·The exploit requires user interaction — the victim must be convinced to open a malicious .URL file. Social engineering via phishing emails (ZIP attachments), Discord links, or file-sharing sites is the primary delivery vector.
  • ·Blocking outbound TCP port 445 at the perimeter prevents payload retrieval from attacker-controlled SMB/WebDAV shares, mitigating exploitation even on unpatched systems.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.