CVE-2022-41049
Published: 09 November 2022
Summary
CVE-2022-41049 is a medium-severity an unspecified weakness vulnerability in Microsoft Windows 10 1507. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-3 (Malicious Code Protection).
Deeper analysis
CVE-2022-41049 is a security feature bypass vulnerability in the Windows Mark of the Web (MOTW) mechanism, which tags files originating from the internet and triggers security warnings or restrictions in applications such as Microsoft Office and the Windows shell. The flaw affects multiple Windows versions and allows certain downloaded files to evade MOTW protections without requiring authentication or elevated privileges.
An unauthenticated remote attacker can exploit the issue by supplying a specially crafted file that, when opened by a user, bypasses MOTW safeguards. Successful exploitation can result in limited integrity and availability impacts, such as reduced security prompts or altered file handling behavior, while leaving confidentiality unaffected.
Microsoft has published updates addressing the vulnerability through its Security Response Center, and the flaw appears in CISA’s catalog of known exploited vulnerabilities, indicating confirmed in-the-wild use. The associated EPSS score rose from a low baseline to a peak of 0.2104, signaling increased exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-44294
Vulnerability details
Windows Mark of the Web Security Feature Bypass Vulnerability
- CWE(s)
- KEV Date Added
- 14 November 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces information-flow policies on content received from external/untrusted sources, which is the exact mechanism Mark of the Web relies on and that CVE-2022-41049 bypasses.
Requires automated malicious-code detection and blocking on files and attachments, providing an independent layer that can still catch payloads delivered via the MotW bypass.
Enforces access decisions based on security attributes such as file origin markings, directly limiting what an attacker can achieve after evading the Mark of the Web feature.