Skip to main content

Windows MOTW CVE-2026-45595

| EUVDEUVD-2026-35554 MEDIUM
Protection Mechanism Failure (CWE-693)
2026-06-09 secure@microsoft.com GHSA-6mgf-hgqj-63v5
Medium
Disputed · 5.4 NVD
Temporal: 4.7
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
ENISA EUVD
CRITICAL
qualitative
CIRCL (temporal)
4.7 MEDIUM
cvss

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 19:40 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
MEDIUM 5.4

DescriptionNVD

Protection mechanism failure in Windows Mark of the Web (MOTW) allows an unauthorized attacker to bypass a security feature over a network.

AnalysisAI

Mark of the Web (MOTW) protection mechanism failure across a broad range of Windows client and server releases allows unauthenticated network-based attackers to deliver files that evade the Zone.Identifier security tag, bypassing downstream defenses such as SmartScreen and Office Protected View that depend on MOTW presence. User interaction is required to trigger the bypass, limiting automated mass exploitation. No public exploit code exists and CISA has not listed this in KEV; however, the breadth of affected Windows versions - spanning Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 R2 through 2025 - gives this vulnerability significant surface area as a link in social-engineering attack chains.

Technical ContextAI

Mark of the Web is a Windows security mechanism implemented via NTFS alternate data streams (Zone.Identifier), automatically applied to files downloaded from the internet or retrieved from network locations. Applications such as Microsoft Office, the Windows Shell, and Microsoft Defender SmartScreen consume this tag to enforce Protected View, macro blocking, and user-warning dialogs. CWE-693 (Protection Mechanism Failure) identifies the root cause: the security control itself fails to function correctly under certain conditions rather than being overcome by the attacker through brute force or logic exploitation. The affected CPE targets span the Windows NT kernel line from build 6.3.9600 (Server 2012 R2) through 10.0.28000 (Windows 11 26H1), covering both full and Server Core installation types. The CVSS attack vector of Network (AV:N) indicates the bypass can be triggered through a network-delivered file path, consistent with SMB shares, WebDAV, or browser-initiated downloads where the tagging logic diverges from expected behavior.

RemediationAI

Apply the vendor-released patch via Windows Update or WSUS/MECM targeting the fixed builds identified per affected version: Windows Server 2025 and Windows 11 24H2 to build 10.0.26100.32995 or 10.0.26100.8655 respectively, Windows 11 26H1 to build 10.0.28000.2269, Windows 11 25H2 to 10.0.26200.8655, Windows 11 23H2 to 10.0.22631.7219, Windows 10 22H2/21H2 to 10.0.19045.7417 or 10.0.19044.7417, Windows Server 2022 to 10.0.20348.5256, Windows Server 2019/Windows 10 1809 to 10.0.17763.8880, Windows Server 2016/Windows 10 1607 to 10.0.14393.9234, and Windows Server 2012 R2 to 6.3.9600.23228. Consult the full MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45595 for cumulative update package identifiers. As a compensating control where patching is not immediately possible, enforce Attack Surface Reduction (ASR) rules that block Office applications from creating child processes and block execution of potentially obfuscated scripts, which partially compensates for lost MOTW-dependent protections; note that these ASR rules may generate false positives in environments with legitimate macro use and require policy-mode testing before enforcement. Additionally, restricting SMB inbound access from untrusted network segments reduces the exposure of the network-delivery attack vector.

Share

CVE-2026-45595 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy