Cyber Resilience

CVE-2023-36584

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 10 October 2023

Published
10 October 2023
Modified
28 October 2025
KEV Added
16 November 2023
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
EPSS Score 0.1542 94.8th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-36584 is a medium-severity an unspecified weakness vulnerability in Microsoft Windows 10 1809. Its CVSS base score is 5.4 (Medium).

Operationally, ranked in the top 5.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2023-36584 is a security feature bypass vulnerability affecting the Mark of the Web (MOTW) mechanism in Windows. MOTW is a Windows component that tags files originating from the internet and triggers security warnings or protected-view restrictions in applications such as Office and the Edge browser; the flaw allows this tagging and enforcement to be circumvented.

An unauthenticated attacker can exploit the issue over the network by supplying a specially crafted file that requires user interaction, such as opening or saving the file. Successful exploitation results in bypass of MOTW protections, enabling limited integrity and availability impacts without requiring privileges on the target system.

Microsoft has published an advisory and corresponding security update addressing the vulnerability. The flaw is also listed in CISA’s Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation.

EPSS scores have reached a peak of 0.1852 with a current value of 0.1542, reflecting moderate and sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Windows Mark of the Web Security Feature Bypass Vulnerability

CWE(s)
KEV Date Added
16 November 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.20232 · ≤ 10.0.10240.20232
microsoft
windows 10 1809
≤ 10.0.17763.4974 · ≤ 10.0.17763.4974 · ≤ 10.0.17763.4974
microsoft
windows 10 21h1
≤ 10.0.19041.3570 · ≤ 10.0.19041.3570 · ≤ 10.0.19041.3570
microsoft
windows 10 22h2
≤ 10.0.19041.3570 · ≤ 10.0.19041.3570 · ≤ 10.0.19041.3570
microsoft
windows 11 21h2
≤ 10.0.22000.2538 · ≤ 10.0.22000.2538
microsoft
windows 11 22h2
≤ 10.0.22621.2428 · ≤ 10.0.22621.2428
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.6351
microsoft
windows server 2019
≤ 10.0.17763.4974
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the Microsoft security updates that remediate the Mark of the Web bypass in CVE-2023-36584.

preventdetect

Deploys malicious-code detection mechanisms that can block or alert on files exploiting the Mark of the Web bypass before or at execution.

prevent

Enforces information-flow policies based on security attributes such as zone identifiers, compensating for the bypassed Mark of the Web marking.

References