Cyber Resilience

CVE-2022-41091

MediumCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 09 November 2022

Published
09 November 2022
Modified
30 October 2025
KEV Added
08 November 2022
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
EPSS Score 0.0634 91.2th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-41091 is a medium-severity Incorrect Authorization (CWE-863) vulnerability in Microsoft Windows 10 1507. Its CVSS base score is 5.4 (Medium).

Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-41091 is a security feature bypass vulnerability in the Windows Mark of the Web (MOTW) mechanism, which applies security identifiers to files originating from the internet or other untrusted zones. The flaw affects multiple Windows versions and allows certain file-handling operations to circumvent MOTW protections without requiring elevated privileges.

An unauthenticated remote attacker can exploit the issue by supplying a specially crafted file that triggers the bypass when opened or processed by a user. Successful exploitation results in limited impact, enabling modification of local files or disruption of availability while leaving confidentiality intact, as reflected in the CVSS vector.

Microsoft's advisory at msrc.microsoft.com directs administrators to apply the security updates released on November 8, 2022. The vulnerability is also catalogued in CISA's Known Exploited Vulnerabilities list, confirming active exploitation in the wild and underscoring the need for prompt patching.

EPSS scores have remained in a narrow band between 0.0634 and a peak of 0.0757, indicating moderate but stable exploitation interest without a pronounced post-disclosure surge.

EU & UK References

Vulnerability details

Windows Mark of the Web Security Feature Bypass Vulnerability

CWE(s)
KEV Date Added
08 November 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.19567
microsoft
windows 10 1607
≤ 10.0.14393.5501
microsoft
windows 10 1809
≤ 10.0.17763.3650
microsoft
windows 10 20h2
≤ 10.0.19042.2251
microsoft
windows 10 21h1
≤ 10.0.19043.2251
microsoft
windows 10 21h2
≤ 10.0.19044.2251
microsoft
windows 10 22h2
≤ 10.0.19045.2251
microsoft
windows 11 21h2
≤ 10.0.22000.1219
microsoft
windows 11 22h2
≤ 10.0.22621.819
microsoft
windows server 2016
≤ 10.0.14393.5501
+2 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch that closes the Mark-of-the-Web bypass described in CVE-2022-41091.

prevent

Enforces information-flow rules based on zone-identifier security attributes that the vulnerability attempts to circumvent.

preventdetect

Supplies malicious-code inspection and blocking mechanisms that can still catch payloads once the Mark-of-the-Web protection is bypassed.

References