What is Mark of the Web (MOTW)?
Mark of the Web (MOTW) is a Windows security feature that tags files downloaded from the internet with a Zone Identifier (stored in an NTFS Alternate Data Stream, Zone.Identifier). Files with this tag trigger SmartScreen warnings, Protected View in Office documents, and other security checks before execution. MOTW is one of Windows' most important defenses against drive-by malware delivery — bypassing it allows malicious files to execute without protective warnings.
Overview
CVE-2022-41049 is a MOTW security feature bypass vulnerability in Windows. An attacker can craft a file in a format that causes Windows to not propagate the MOTW tag when the file is extracted or opened, allowing the resulting files to execute without SmartScreen warnings or Protected View activation. This vulnerability was confirmed exploited in the wild. See also CVE-2022-41091 for a related MOTW bypass patched the same day.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Windows 10 (multiple versions) | Yes | November 2022 CU |
| Windows 11 | Yes | November 2022 CU |
| Windows Server 2016 – 2022 | Yes | November 2022 CU |
Technical Details
MOTW propagation bypasses occur when Windows fails to inherit the Zone Identifier from a parent archive to extracted files. In this variant, a specially crafted archive format (ZIP or other container) can cause Windows Explorer or shell functions to extract contained files without applying the MOTW tag from the outer container.
- Attack delivery: Attacker sends victim a malicious archive via email or web download
- Bypass mechanism: Files extracted from the archive do not receive the MOTW tag, so SmartScreen and Office Protected View treat them as locally-created safe files
- User interaction required: Victim must download and extract the archive
- Real-world impact: MOTW bypasses are a standard component of malware delivery chains — they eliminate the security prompt that might cause a user to pause before executing a downloaded file
Discovery
Reported to Microsoft through coordinated disclosure.
Exploitation Context
Active exploitation confirmed; CISA added to KEV within six days of the November 2022 patch. MOTW bypass vulnerabilities were heavily exploited in 2022–2023 by Magniber ransomware (which used ZIP-based MOTW bypasses), QBot/Qakbot delivery chains, and various initial access brokers. The practical CVSS score (5.4) significantly understates the real-world risk — MOTW bypasses are force-multipliers that make other malware delivery far more effective.
Remediation
- Apply the November 2022 Patch Tuesday cumulative update for Windows
- Ensure both CVE-2022-41049 and CVE-2022-41091 are patched (same update cycle)
- Train users to treat all downloaded archives as potentially dangerous regardless of SmartScreen prompt absence
- Consider enforcing Windows Defender Application Control (WDAC) policies that block unsigned executables regardless of MOTW status
- Enable Microsoft Defender's cloud-delivered protection for up-to-date malware signature coverage
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2022-41049 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2022-11-09 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 5.4 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L |
| Severity | MEDIUM |
| CISA KEV Added | 2022-11-14 |
| CISA KEV Deadline | 2022-12-09 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2022-11-08 | Microsoft patches CVE-2022-41049 in November 2022 Patch Tuesday |
| 2022-11-09 | CVE published |
| 2022-11-14 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-12-09 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2022-41049 | Vendor Advisory |
| NVD — CVE-2022-41049 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |