Cyber Posture

CVE-2026-23674

High

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0014 33.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23674 is a high-severity Improper Resolution of Path Equivalence (CWE-41) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Subvert Trust Controls (T1553); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Subvert Trust Controls (T1553).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1553 Subvert Trust Controls Defense Impairment
Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs.
attack.mitre.org →
Why these techniques?

Directly enables bypassing Windows URL security zone trust controls (MapUrlToZone), mapping to subverting trust controls for unauthorized data access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network.

Deeper analysisAI

CVE-2026-23674 is an improper resolution of path equivalence vulnerability in the Windows MapUrlToZone function, which affects Windows operating systems. This flaw allows an unauthorized attacker to bypass a security feature over a network, as detailed in its description and associated with CWE-41 (Improper Resolution of Path Equivalence). The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily due to its confidentiality impact.

The attack scenario involves a remote, unauthenticated attacker with no privileges or user interaction required. By exploiting the improper path equivalence handling in MapUrlToZone, the attacker can bypass Windows security zone restrictions, potentially achieving high confidentiality impact such as unauthorized access to sensitive data that would otherwise be protected by zone-based policies.

Microsoft's Security Response Center provides guidance on this vulnerability through its update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23674, which details available patches and mitigation recommendations for affected Windows systems.

Details

CWE(s)
CWE-41

Affected Products

microsoft
windows 10 1607
≤ 10.0.14393.8957 · ≤ 10.0.14393.8957
microsoft
windows 10 1809
≤ 10.0.17763.8511 · ≤ 10.0.17763.8511
microsoft
windows 10 21h2
≤ 10.0.19044.7058 · ≤ 10.0.19044.7058 · ≤ 10.0.19044.7058
microsoft
windows 10 22h2
≤ 10.0.19045.7058 · ≤ 10.0.19045.7058 · ≤ 10.0.19045.7058
microsoft
windows 11 23h2
≤ 10.0.22631.6783 · ≤ 10.0.22631.6783
microsoft
windows 11 24h2
≤ 10.0.26100.7979 · ≤ 10.0.26100.7979
microsoft
windows 11 25h2
≤ 10.0.26200.7979 · ≤ 10.0.26200.7979
microsoft
windows 11 26h1
≤ 10.0.28000.1719 · ≤ 10.0.28000.1719
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.8957
+4 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-21332Same product: Microsoft Windows 10 1607
CVE-2026-27916Same product: Microsoft Windows 10 1607
CVE-2026-32077Same product: Microsoft Windows 10 1607
CVE-2026-26168Same product: Microsoft Windows 10 1607
CVE-2026-24294Same product: Microsoft Windows 10 1607
CVE-2026-27914Same product: Microsoft Windows 10 1607
CVE-2026-32183Same product: Microsoft Windows 10 1607
CVE-2026-27909Same product: Microsoft Windows 10 1607
CVE-2026-32202Same product: Microsoft Windows 10 1607
CVE-2026-27915Same product: Microsoft Windows 10 1607

References