CVE-2026-23674
Published: 10 March 2026
Summary
CVE-2026-23674 is a high-severity Improper Resolution of Path Equivalence (CWE-41) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Subvert Trust Controls (T1553); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23674 is an improper resolution of path equivalence vulnerability in the Windows MapUrlToZone function, which affects Windows operating systems. This flaw allows an unauthorized attacker to bypass a security feature over a network, as detailed in its description and associated with CWE-41 (Improper Resolution of Path Equivalence). The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily due to its confidentiality impact.
The attack scenario involves a remote, unauthenticated attacker with no privileges or user interaction required. By exploiting the improper path equivalence handling in MapUrlToZone, the attacker can bypass Windows security zone restrictions, potentially achieving high confidentiality impact such as unauthorized access to sensitive data that would otherwise be protected by zone-based policies.
Microsoft's Security Response Center provides guidance on this vulnerability through its update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23674, which details available patches and mitigation recommendations for affected Windows systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10599
Vulnerability details
Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables bypassing Windows URL security zone trust controls (MapUrlToZone), mapping to subverting trust controls for unauthorized data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the improper path equivalence flaw in Windows MapUrlToZone by requiring timely application of vendor-provided patches.
Enables identification of CVE-2026-23674 through regular vulnerability scanning of Windows systems to facilitate proactive patching.
Establishes secure configuration settings for Windows security zones to restrict information flows and mitigate potential zone bypass impacts.