CVE-2022-44698
CVE-2022-44698 is a medium-severity vulnerability in Microsoft Windows 10 1607 with a CVSS 3.x base score of 5.4. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-12-13).
Key facts
- Severity: Medium (CVSS 3.x base score 5.4)
- EPSS exploit prediction: 76% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-12-13)
- EU (EUVD) id: EUVD-2022-47632
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-12-13)
- Affected product: Microsoft Windows 10 1607
- Published:
- Last modified:
Description
Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2022-44698: Windows SmartScreen Security Feature Bypass
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2022-44698 |
| CVSS v3 | 5.4 (MEDIUM) |
| EPSS | 0.76106 (≈ 76.1%) — 99.47th percentile |
| CISA KEV | Yes (added 2022-12-13) |
| EU Exploited | Yes (since 2022-12-13) |
| Ransomware Use | Confirmed |
| CWE | Not specified in source data |
| Published | 2022-12-13 |
| Last Modified | 2026-06-17 |
Summary
CVE-2022-44698 is a security feature bypass vulnerability in Windows SmartScreen. The flaw exists because SmartScreen does not properly validate file origin markers under certain conditions, allowing an attacker to deliver a malicious file that executes without triggering the usual security warnings. Successful exploitation results in a bypass of an important Windows security boundary, facilitating subsequent malware deployment.
Background
Windows SmartScreen is a reputation-based security feature introduced in Windows 8 and enhanced in Windows 10/11. It checks downloaded files and applications against a cloud-based reputation database and warns users before running potentially unsafe software. SmartScreen relies on the Mark-of-the-Web (MotW) — an alternate data stream (Zone.Identifier) attached to files downloaded from the internet — to determine whether a file should be treated as untrusted. When MotW is present, SmartScreen scrutinizes the file; when it is absent or improperly handled, the file may execute without warning.
Root Cause
The root cause of this vulnerability is improper validation of file origin markers by Windows SmartScreen. The system fails to correctly apply or verify the Mark-of-the-Web under specific execution paths, allowing a file that originated from an untrusted source to run without the expected security prompts. The exact CWE identifier was not provided in the source data, but the vulnerability class aligns with CWE-693: Protection Mechanism Failure or CWE-807: Reliance on Untrusted Inputs in a Security Decision.
Impact
| CVSS Metric | Value |
|---|---|
| Attack Vector | Network (AV:N) |
| Attack Complexity | Low (AC:L) |
| Privileges Required | None (PR:N) |
| User Interaction | Required (UI:R) |
| Scope | Unchanged (S:U) |
| Confidentiality Impact | None (C:N) |
| Integrity Impact | Low (I:L) |
| Availability Impact | Low (A:L) |
The overall CVSS v3 score is 5.4 (MEDIUM). While confidentiality is not directly impacted, the integrity and availability impacts are rated LOW. The real-world risk is elevated because this bypass removes a critical user-facing protection layer. Once SmartScreen is bypassed, the attacker can deliver and execute secondary payloads — including ransomware — without the victim receiving a warning dialog. The EPSS score of 0.76106 indicates a very high probability of active exploitation in the wild.
Exploitation Walkthrough
Ethics Notice: The following description is provided for defensive awareness only. No weaponized exploit code is included.
The exploitation flow generally follows these stages:
- Delivery: The attacker delivers a specially crafted file to the victim (e.g., via phishing email, malicious download, or compromised website).
- MotW Evasion: The file is constructed or delivered in a way that causes Windows to either not attach the Mark-of-the-Web or causes SmartScreen to ignore it. This can involve specific file formats, archive extractions, or protocol handlers.
- Execution: The victim opens the file. Because SmartScreen does not flag it, the file executes without a security warning.
- Payload Deployment: The attacker’s payload runs, which may download and execute additional malware such as ransomware.
The key observation for defenders is that the vulnerability is in the trust decision made by SmartScreen, not in the file format itself. Monitoring for files that bypass MotW expectations is a useful detection strategy.
Affected and Patched Versions
Affected Products
- Windows 10 Version 1607
- Windows 10 Version 1809
- Windows 10 Version 20H2
- Windows 10 Version 21H1
- Windows 10 Version 21H2
- Windows 10 Version 22H2
- Windows 11 Version 21H2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Patched Versions
Microsoft released security updates addressing this vulnerability in the December 2022 Patch Tuesday release. Specific KB numbers are not available in the source data; administrators should consult the Microsoft Security Response Center advisory for exact patch packages.
Remediation
- Apply Security Updates: Install the December 2022 (or later) Windows cumulative security updates from Microsoft Update or WSUS.
- Enable Application Control: Complement SmartScreen with AppLocker or Windows Defender Application Control (WDAC) to restrict execution of untrusted binaries.
- User Training: Educate users to be cautious of unexpected files and email attachments, even if no SmartScreen warning appears.
- Email Gateway Filtering: Block or sandbox archive attachments and executable content at the email gateway.
- Endpoint Detection and Response (EDR): Ensure EDR agents are configured to detect suspicious child process spawning and script execution patterns.
Detection
- MotW Audit: Monitor for files downloaded from the internet that lack a Zone.Identifier stream.
- Process Monitoring: Alert on unexpected executable launches from user Downloads or Temp directories, especially if preceded by browser or email client activity.
- Registry/ETW: Monitor Windows Defender SmartScreen event logs (Event ID 5007 for SmartScreen block/allow decisions) and look for anomalous allow events on known-malicious hashes.
- Network Telemetry: Detect subsequent command-and-control (C2) or payload retrieval traffic that may follow a successful SmartScreen bypass.
Assessment
CVE-2022-44698 is a high-priority patch despite its MEDIUM CVSS score. The combination of a CISA KEV listing, confirmed ransomware use, an EPSS above 0.75, and active EU exploitation makes this a reliably weaponized vulnerability. Organizations should treat the CVSS score as a floor, not a ceiling — the downstream impact of a SmartScreen bypass is often severe.
Key lessons:
- Security feature bypasses are force multipliers. A single bypass can nullify multiple downstream controls.
- EPSS and KEV data should override raw CVSS in prioritization. A 5.4 CVSS with 0.76 EPSS and KEV status is more urgent than many 7.0+ vulnerabilities with no exploitation evidence.
References
Frequently asked questions
- What is CVE-2022-44698?
- Windows SmartScreen Security Feature Bypass Vulnerability
- How severe is CVE-2022-44698?
- CVE-2022-44698 has a CVSS 3.x base score of 5.4, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is none, integrity low, and availability low.
- Is CVE-2022-44698 being actively exploited?
- Yes. CVE-2022-44698 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-12-13, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-44698?
- CVE-2022-44698 primarily affects Microsoft Windows 10 1607. In total, 10 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-44698?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-44698 have an EU (EUVD) identifier?
- Yes. CVE-2022-44698 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-47632. It is also flagged as exploited in the EUVD (since 2022-12-13).
- When was CVE-2022-44698 published?
- CVE-2022-44698 was published on 2022-12-13 and last updated on 2026-06-17.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44698
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-44698
Affected products (10)
- cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_20h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_21h1:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 10 1607
- CVE-2026-47291 — Critical (CVSS 9.8): Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network.
- CVE-2026-44815 — Critical (CVSS 9.8): Stack-based buffer overflow in Windows DHCP Client allows an unauthorized attacker to execute code over a network.
- CVE-2026-33824 — Critical (CVSS 9.8): Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.
- CVE-2025-60724 — Critical (CVSS 9.8): Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a…
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
- CVE-2025-47981 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over…