Cyber Resilience

CVE-2022-41049

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 09 November 2022

Published
09 November 2022
Modified
30 October 2025
KEV Added
14 November 2022
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
EPSS Score 0.1323 94.3th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-41049 is a medium-severity an unspecified weakness vulnerability in Microsoft Windows 10 1507. Its CVSS base score is 5.4 (Medium).

Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2022-41049 is a security feature bypass vulnerability in the Windows Mark of the Web (MOTW) mechanism, which tags files originating from the internet and triggers security warnings or restrictions in applications such as Microsoft Office and the Windows shell. The flaw affects multiple Windows versions and allows certain downloaded files to evade MOTW protections without requiring authentication or elevated privileges.

An unauthenticated remote attacker can exploit the issue by supplying a specially crafted file that, when opened by a user, bypasses MOTW safeguards. Successful exploitation can result in limited integrity and availability impacts, such as reduced security prompts or altered file handling behavior, while leaving confidentiality unaffected.

Microsoft has published updates addressing the vulnerability through its Security Response Center, and the flaw appears in CISA’s catalog of known exploited vulnerabilities, indicating confirmed in-the-wild use. The associated EPSS score rose from a low baseline to a peak of 0.2104, signaling increased exploitation interest after public disclosure.

EU & UK References

Vulnerability details

Windows Mark of the Web Security Feature Bypass Vulnerability

CWE(s)
KEV Date Added
14 November 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.19567
microsoft
windows 10 1607
≤ 10.0.14393.5501
microsoft
windows 10 1809
≤ 10.0.17763.3650
microsoft
windows 10 20h2
≤ 10.0.19042.2251
microsoft
windows 10 21h1
≤ 10.0.19043.2251
microsoft
windows 10 21h2
≤ 10.0.19044.2251
microsoft
windows 10 22h2
≤ 10.0.19045.2251
microsoft
windows 11 21h2
≤ 10.0.22000.1219
microsoft
windows 11 22h2
≤ 10.0.22621.819
microsoft
windows server 2016
≤ 10.0.14393.5501
+2 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces information-flow policies on content received from external/untrusted sources, which is the exact mechanism Mark of the Web relies on and that CVE-2022-41049 bypasses.

prevent

Requires automated malicious-code detection and blocking on files and attachments, providing an independent layer that can still catch payloads delivered via the MotW bypass.

prevent

Enforces access decisions based on security attributes such as file origin markings, directly limiting what an attacker can achieve after evading the Mark of the Web feature.

References