CVE-2023-36025 Vulnerability

What is CVE-2023-36025 vulnerability?

CVE-2023-36025 is a flaw in how Windows Defender SmartScreen processes specific internet shortcut files (.URL).

Normally, SmartScreen analyzes files downloaded from the web ("Mark of the Web") and warns the user if the file is potentially dangerous. By exploiting this vulnerability, an attacker can create a specially crafted .URL file that bypasses these checks entirely.

It is rated High (CVSS 8.8) because it allows for the silent execution of malicious payloads without the user receiving the expected warning prompts.

When was it discovered?

The vulnerability was publicly disclosed and patched by Microsoft on November 14, 2023 (Patch Tuesday). At the time of release, Microsoft confirmed it was already being exploited in the wild as a zero-day.

Affected products & versions

The vulnerability affects a wide range of Windows operating systems. If you are running an unpatched version of any of the following, you are at risk:

CVE-2023-36025 technical description

The core issue lies in how Windows parses Internet Shortcut (.URL) files that point to remote file shares.

Attackers craft a .URL file that points to a malicious executable hosted on a remote network share (using a UNC path, e.g., \\attacker-ip\share\malware.exe).

Due to improper parameter validation, when a user clicks this specific shortcut, Windows fails to trigger the SmartScreen analysis. Instead of seeing a "Windows protected your PC" warning, the system blindly follows the shortcut and executes the target payload.

Tactics, techniques & procedures (TTPs)

Attackers are actively using this vulnerability to deploy InfoStealers and Remote Access Trojans (RATs).

• Delivery: The exploit is often delivered via phishing emails containing a ZIP attachment, or via links on Discord and file-sharing sites.

• Execution: The ZIP file contains a crafted .URL file. When the user double-clicks it, the vulnerability triggers, and the payload is fetched from an attacker-controlled WebDAV or SMB share.

• Payloads: This technique has been heavily used by DarkGate, Phemedrone Stealer, and the Mispadu banking trojan.

• Evasion: Because the SmartScreen prompt is bypassed, the user has no visual indication that a malicious script or executable is running until it is too late.

Indicators of compromise

Indicators that CVE-2023-36025 is being attempted or has been exploited include:

• Suspicious .URL Files: Internet shortcuts where the URL= parameter points to a file:// or UNC path rather than a standard http:// or https:// website.

• Network Traffic: Outbound SMB (port 445) or WebDAV traffic initiated immediately after a user opens a file, especially to unknown external IP addresses.

• Process Execution:rundll32.exe or ieframe.dll spawning unexpected child processes after a user interacts with a shortcut file.

Known proof-of-concepts & exploits

Multiple Proof-of-Concept (PoC) exploits are publicly available on GitHub and have been integrated into malware-as-a-service toolkits.

One notable campaign involved the Phemedrone Stealer, which used this vulnerability to bypass security checks and steal sensitive data from cryptocurrency wallets, Discord, and Telegram immediately after the vulnerability was disclosed.

How to detect CVE-2023-36025 vulnerability?

• Endpoint Scanning: Use vulnerability scanners (Nessus, Qualys, Microsoft Defender) to identify endpoints that have not installed the November 2023 Cumulative Update.

• Behavioral Monitoring: Configure EDR to alert on .URL files being written to disk that contain UNC paths.

• File Analysis: Analyze the contents of .URL files in email attachments. A legitimate internet shortcut usually points to a web resource; one pointing to an executable on a remote share is highly suspicious.

Impact & risk of CVE-2023-36025 vulnerability

The risk is significant because it undermines a trusted safety mechanism. Users are trained to rely on SmartScreen warnings to catch accidental clicks on malicious files.

By removing this safety net, attackers can dramatically increase their infection rates. Successful exploitation leads to the deployment of ransomware, data theft (stealers), or full remote control of the victim's machine.

Mitigation & remediation strategies

The primary defense is patching, but defense-in-depth remains critical:

• Patch Immediately: Make sure you’ve applied the Microsoft November 2023 Security Update to all Windows endpoints. This restored the correct SmartScreen validation checks.

• Block Outbound SMB: Ensure your perimeter firewall blocks outbound traffic on TCP port 445. This prevents the compromised machine from reaching the attacker's remote share to download the payload.

• Email Filtering: Configure email gateways to block or quarantine attachments containing .URL files, as these are rarely used for legitimate business purposes in email.