Critical Bypass in Windows Defender SmartScreen – CVE-2023-36025

A critical security flaw in Windows SmartScreen, a component of Windows Defender, has recently been highlighted due to the public release of a proof-of-concept (PoC) exploit. This vulnerability, CVE-2023-36025, allows attackers to bypass security checks in Windows Defender SmartScreen, a crucial defense against phishing and malware.

Vulnerability Details

  • CVE ID: CVE-2023-36025
  • CVSSv3 Score: 8.8 (Important)
  • Affected Systems: Windows 10, Windows 11, Windows Server 2008 and later releases.
  • Attack Vector: The exploit involves crafting a malicious Internet Shortcut (.URL) file, which, when clicked by a user, can lead to the bypass of SmartScreen checks.

Threat Actor Utilization: TA544

TA544, a notorious, financially motivated advanced persistent threat (APT) actor, is among the groups exploiting this vulnerability. Active since at least 2017, TA544 is known for its high-volume email campaigns distributing malware like Ursnif and URLZone.

  • Target Regions: TA544 primarily targets western Europe and Japan, adapting its attack strategies to suit regional specifics.
  • Methodology: They use steganography to conceal malicious code within images and exploit Microsoft Office VBA macros for payload delivery.

Historical Context of SmartScreen Vulnerabilities

CVE-2023-36025 is not the first SmartScreen vulnerability exploited. Previously, CVE-2023-24880 and CVE-2023-32049, both security bypass vulnerabilities in SmartScreen, were disclosed and patched by Microsoft. These recurring vulnerabilities underline the importance of continuous vigilance and regular updates in cybersecurity practices.


  1. Patch Management: Prioritize the application of Microsoft’s patches for critical vulnerabilities like CVE-2023-36025.
  2. User Awareness: Educate users about the risks of clicking on unknown links or files, especially those received via email.
  3. Email Security: Implement robust email filtering solutions to prevent phishing attempts and malicious email campaigns.
  4. Regular Monitoring: Continuously monitor for signs of TA544 or similar APT group activities, focusing on their methods and target regions.

Further Reading