CVE-2022-44698

CVE-2022-44698 is a medium-severity vulnerability in Microsoft Windows 10 1607 with a CVSS 3.x base score of 5.4. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-12-13).

Key facts

Description

Windows SmartScreen Security Feature Bypass Vulnerability

CVE-2022-44698: Windows SmartScreen Security Feature Bypass

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2022-44698
CVSS v3 5.4 (MEDIUM)
EPSS 0.76106 (≈ 76.1%) — 99.47th percentile
CISA KEV Yes (added 2022-12-13)
EU Exploited Yes (since 2022-12-13)
Ransomware Use Confirmed
CWE Not specified in source data
Published 2022-12-13
Last Modified 2026-06-17

Summary

CVE-2022-44698 is a security feature bypass vulnerability in Windows SmartScreen. The flaw exists because SmartScreen does not properly validate file origin markers under certain conditions, allowing an attacker to deliver a malicious file that executes without triggering the usual security warnings. Successful exploitation results in a bypass of an important Windows security boundary, facilitating subsequent malware deployment.

Background

Windows SmartScreen is a reputation-based security feature introduced in Windows 8 and enhanced in Windows 10/11. It checks downloaded files and applications against a cloud-based reputation database and warns users before running potentially unsafe software. SmartScreen relies on the Mark-of-the-Web (MotW) — an alternate data stream (Zone.Identifier) attached to files downloaded from the internet — to determine whether a file should be treated as untrusted. When MotW is present, SmartScreen scrutinizes the file; when it is absent or improperly handled, the file may execute without warning.

Root Cause

The root cause of this vulnerability is improper validation of file origin markers by Windows SmartScreen. The system fails to correctly apply or verify the Mark-of-the-Web under specific execution paths, allowing a file that originated from an untrusted source to run without the expected security prompts. The exact CWE identifier was not provided in the source data, but the vulnerability class aligns with CWE-693: Protection Mechanism Failure or CWE-807: Reliance on Untrusted Inputs in a Security Decision.

Impact

CVSS Metric Value
Attack Vector Network (AV:N)
Attack Complexity Low (AC:L)
Privileges Required None (PR:N)
User Interaction Required (UI:R)
Scope Unchanged (S:U)
Confidentiality Impact None (C:N)
Integrity Impact Low (I:L)
Availability Impact Low (A:L)

The overall CVSS v3 score is 5.4 (MEDIUM). While confidentiality is not directly impacted, the integrity and availability impacts are rated LOW. The real-world risk is elevated because this bypass removes a critical user-facing protection layer. Once SmartScreen is bypassed, the attacker can deliver and execute secondary payloads — including ransomware — without the victim receiving a warning dialog. The EPSS score of 0.76106 indicates a very high probability of active exploitation in the wild.

Exploitation Walkthrough

Ethics Notice: The following description is provided for defensive awareness only. No weaponized exploit code is included.

The exploitation flow generally follows these stages:

  1. Delivery: The attacker delivers a specially crafted file to the victim (e.g., via phishing email, malicious download, or compromised website).
  2. MotW Evasion: The file is constructed or delivered in a way that causes Windows to either not attach the Mark-of-the-Web or causes SmartScreen to ignore it. This can involve specific file formats, archive extractions, or protocol handlers.
  3. Execution: The victim opens the file. Because SmartScreen does not flag it, the file executes without a security warning.
  4. Payload Deployment: The attacker’s payload runs, which may download and execute additional malware such as ransomware.

The key observation for defenders is that the vulnerability is in the trust decision made by SmartScreen, not in the file format itself. Monitoring for files that bypass MotW expectations is a useful detection strategy.

Affected and Patched Versions

Affected Products

  • Windows 10 Version 1607
  • Windows 10 Version 1809
  • Windows 10 Version 20H2
  • Windows 10 Version 21H1
  • Windows 10 Version 21H2
  • Windows 10 Version 22H2
  • Windows 11 Version 21H2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

Patched Versions

Microsoft released security updates addressing this vulnerability in the December 2022 Patch Tuesday release. Specific KB numbers are not available in the source data; administrators should consult the Microsoft Security Response Center advisory for exact patch packages.

Remediation

  1. Apply Security Updates: Install the December 2022 (or later) Windows cumulative security updates from Microsoft Update or WSUS.
  2. Enable Application Control: Complement SmartScreen with AppLocker or Windows Defender Application Control (WDAC) to restrict execution of untrusted binaries.
  3. User Training: Educate users to be cautious of unexpected files and email attachments, even if no SmartScreen warning appears.
  4. Email Gateway Filtering: Block or sandbox archive attachments and executable content at the email gateway.
  5. Endpoint Detection and Response (EDR): Ensure EDR agents are configured to detect suspicious child process spawning and script execution patterns.

Detection

  • MotW Audit: Monitor for files downloaded from the internet that lack a Zone.Identifier stream.
  • Process Monitoring: Alert on unexpected executable launches from user Downloads or Temp directories, especially if preceded by browser or email client activity.
  • Registry/ETW: Monitor Windows Defender SmartScreen event logs (Event ID 5007 for SmartScreen block/allow decisions) and look for anomalous allow events on known-malicious hashes.
  • Network Telemetry: Detect subsequent command-and-control (C2) or payload retrieval traffic that may follow a successful SmartScreen bypass.

Assessment

CVE-2022-44698 is a high-priority patch despite its MEDIUM CVSS score. The combination of a CISA KEV listing, confirmed ransomware use, an EPSS above 0.75, and active EU exploitation makes this a reliably weaponized vulnerability. Organizations should treat the CVSS score as a floor, not a ceiling — the downstream impact of a SmartScreen bypass is often severe.

Key lessons:

  1. Security feature bypasses are force multipliers. A single bypass can nullify multiple downstream controls.
  2. EPSS and KEV data should override raw CVSS in prioritization. A 5.4 CVSS with 0.76 EPSS and KEV status is more urgent than many 7.0+ vulnerabilities with no exploitation evidence.

References

Frequently asked questions

What is CVE-2022-44698?
Windows SmartScreen Security Feature Bypass Vulnerability
How severe is CVE-2022-44698?
CVE-2022-44698 has a CVSS 3.x base score of 5.4, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is none, integrity low, and availability low.
Is CVE-2022-44698 being actively exploited?
Yes. CVE-2022-44698 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-12-13, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2022-44698?
CVE-2022-44698 primarily affects Microsoft Windows 10 1607. In total, 10 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2022-44698?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2022-44698 have an EU (EUVD) identifier?
Yes. CVE-2022-44698 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-47632. It is also flagged as exploited in the EUVD (since 2022-12-13).
When was CVE-2022-44698 published?
CVE-2022-44698 was published on 2022-12-13 and last updated on 2026-06-17.

References

Affected products (10)

More vulnerabilities in Microsoft Windows 10 1607

All CVEs affecting Microsoft Windows 10 1607 →