CVE-2023-36025

What is Windows SmartScreen?

Windows SmartScreen is a security feature built into Windows and Microsoft Edge that displays a warning prompt when users attempt to run executable files downloaded from the internet — files that carry a Zone.Identifier alternate data stream (Mark of the Web, MotW) applied when they are downloaded via a browser or received as email attachments. SmartScreen checks the file's reputation against Microsoft's cloud service and warns users before execution, providing a critical last-mile defense against malware delivered via phishing links and malicious downloads. SmartScreen bypass vulnerabilities are consistently exploited by malware campaigns because they represent one of the most visible security layers between a victim clicking a malicious file and malware executing silently.

Overview

CVE-2023-36025 is a zero-day Windows SmartScreen security feature bypass vulnerability. An attacker can craft a specially formed Windows Internet Shortcut file (.url) that, when opened by a user, executes its referenced content without triggering SmartScreen's reputation check and warning prompt. Microsoft patched it on November 14, 2023 (Patch Tuesday), acknowledging active exploitation at the time of the patch. The Phemedrone Stealer malware campaign was subsequently documented using CVE-2023-36025 to silently deliver credential-stealing payloads to victims who clicked malicious .url shortcut links, bypassing all SmartScreen warnings. CISA added it to KEV the same day as the patch.

Affected Versions

Technical Details

CWE-693 (Protection Mechanism Failure). Windows Internet Shortcut files (.url) are a legacy Windows file format that stores URLs and associated icon settings. When a .url file downloaded from the internet is opened, Windows should apply the Mark of the Web (MotW) Zone.Identifier metadata to it, which triggers SmartScreen to evaluate the file before execution. A flaw in how Windows processes a specially crafted .url file causes SmartScreen's check to be skipped — the URL or script referenced by the shortcut executes without the usual warning prompt.

In the Phemedrone Stealer campaign, attackers distributed malicious .url files via phishing emails, Discord, and Telegram. When victims opened the .url file, it silently fetched and executed a malicious payload hosted on attacker-controlled infrastructure (often a WebDAV share or direct URL) without any SmartScreen warning. The delivered Phemedrone Stealer harvested browser credentials, cryptocurrency wallet data, and session tokens from victim machines.

The User Interaction: Required reflects the need for the victim to open the .url file — but this is easily achieved via phishing. The CVSS 8.8 score reflects the high-confidence full compromise that results despite the single user action.

Discovery

Identified by threat intelligence researchers who observed the zero-day being actively exploited before Microsoft had a patch. Microsoft's same-day KEV addition confirms exploitation was confirmed at the time of the November 2023 Patch Tuesday release.

Exploitation Context

CVE-2023-36025 was exploited in active malware distribution campaigns before the patch was available. The Phemedrone Stealer campaign, documented by Trend Micro in January 2024, demonstrated extensive use of the bypass to deliver information-stealing malware. The attack chain was simple and effective: malicious .url files distributed via phishing → victim opens file → SmartScreen bypassed → Phemedrone payload downloaded and executed → credentials and browser data stolen.

This vulnerability follows a pattern of successive SmartScreen bypass zero-days exploited in 2023 and 2024 — including CVE-2023-36584 (MotW bypass via specially crafted files), CVE-2024-21412 (internet shortcut bypass), and CVE-2024-38213 (WebDAV-based bypass). Attackers consistently invest in SmartScreen bypass techniques because SmartScreen is the primary friction point for malware delivery via phishing.

Remediation

1. Apply November 2023 Windows security updates (Patch Tuesday) immediately — the CVE-2023-36025 fix is included in the November 2023 cumulative updates.
2. Enable Windows Automatic Updates or manage updates through WSUS/SCCM to ensure timely patching of SmartScreen bypass zero-days.
3. Consider using Attack Surface Reduction (ASR) rules in Microsoft Defender to block execution of files from WebDAV or internet-sourced shortcuts.
4. Train users to be suspicious of .url files received via email, messaging apps, or web downloads — particularly those that execute without prompting for warnings.
5. Enable Enhanced Phishing Protection in Windows Security settings (Windows 11) to detect unsafe password entry behaviors linked to phishing payloads.