CVE-2022-41091
Published: 09 November 2022
Summary
CVE-2022-41091 is a medium-severity Incorrect Authorization (CWE-863) vulnerability in Microsoft Windows 10 1507. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-41091 is a security feature bypass vulnerability in the Windows Mark of the Web (MOTW) mechanism, which applies security identifiers to files originating from the internet or other untrusted zones. The flaw affects multiple Windows versions and allows certain file-handling operations to circumvent MOTW protections without requiring elevated privileges.
An unauthenticated remote attacker can exploit the issue by supplying a specially crafted file that triggers the bypass when opened or processed by a user. Successful exploitation results in limited impact, enabling modification of local files or disruption of availability while leaving confidentiality intact, as reflected in the CVSS vector.
Microsoft's advisory at msrc.microsoft.com directs administrators to apply the security updates released on November 8, 2022. The vulnerability is also catalogued in CISA's Known Exploited Vulnerabilities list, confirming active exploitation in the wild and underscoring the need for prompt patching.
EPSS scores have remained in a narrow band between 0.0634 and a peak of 0.0757, indicating moderate but stable exploitation interest without a pronounced post-disclosure surge.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-44334
Vulnerability details
Windows Mark of the Web Security Feature Bypass Vulnerability
- CWE(s)
- KEV Date Added
- 08 November 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch that closes the Mark-of-the-Web bypass described in CVE-2022-41091.
Enforces information-flow rules based on zone-identifier security attributes that the vulnerability attempts to circumvent.
Supplies malicious-code inspection and blocking mechanisms that can still catch payloads once the Mark-of-the-Web protection is bypassed.