CVE-2023-24880
CVE-2023-24880 is a medium-severity vulnerability in Microsoft Windows 10 1607 with a CVSS 3.x base score of 4.4. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-03-14). The underlying weakness is classified as CWE-863.
Key facts
- Severity: Medium (CVSS 3.x base score 4.4)
- EPSS exploit prediction: 78% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-03-14)
- EU (EUVD) id: EUVD-2023-28870
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-03-14)
- Weakness: CWE-863
- Affected product: Microsoft Windows 10 1607
- Published:
- Last modified:
Description
Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2023-24880: Windows SmartScreen Security Feature Bypass Vulnerability
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2023-24880 |
| Published | 2023-03-14 |
| Severity | Medium (CVSS:3.1 4.4) |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L |
| CWE | CWE-863 — Incorrect Authorization |
| EPSS | 0.78152 (99.52nd percentile) |
| KEV | Yes — CISA catalog since 2023-03-14 |
| EU Exploited | Yes — EUVD-2023-28870 since 2023-03-14 |
| Assigner | Microsoft Security Response Center (MSRC) |
Summary
CVE-2023-24880 is a security feature bypass vulnerability in Microsoft Windows SmartScreen. The flaw stems from an incorrect authorization check (CWE-863) that enables an attacker to circumvent SmartScreen's reputation-based warnings when a user attempts to execute an untrusted file. Successful exploitation allows the attacker to execute malicious code without triggering the typical "Windows protected your PC" dialog, reducing the user's opportunity to decline execution. Microsoft has assigned this a Medium severity CVSS v3.1 score of 4.4.
Background
Windows SmartScreen is a security feature introduced in Windows 8 and enhanced in subsequent releases. It uses reputation-based heuristics and Microsoft's cloud intelligence to evaluate whether files downloaded from the internet are potentially malicious. When a file lacks reputation or is known to be suspicious, SmartScreen displays a warning dialog requiring explicit user action to proceed. This layer acts as a critical social-engineering defense, particularly against phishing campaigns that deliver malware via email or web downloads.
Root Cause
The vulnerability is classified under CWE-863: Incorrect Authorization. The root cause lies in the way SmartScreen validates the trustworthiness of downloaded files prior to rendering the execution prompt. Specifically, the affected Windows versions fail to properly enforce authorization checks on file execution when certain metadata conditions are manipulated. This allows an attacker-crafted file to be treated as trusted or to bypass the warning interface entirely, even though it originated from an untrusted internet zone.
The attack complexity is low, no privileges are required, and only local access with user interaction is needed — making it an attractive target for adversaries distributing malware via social engineering.
Impact
The CVSS v3.1 metrics reflect a focused integrity and availability impact with no confidentiality compromise:
| Metric | Value |
|---|---|
| Attack Vector | Local (AV:L) |
| Attack Complexity | Low (AC:L) |
| Privileges Required | None (PR:N) |
| User Interaction | Required (UI:R) |
| Scope | Unchanged (S:U) |
| Confidentiality Impact | None (C:N) |
| Integrity Impact | Low (I:L) |
| Availability Impact | Low (A:L) |
While the base score of 4.4 is Medium, the real-world risk is elevated. The extremely high EPSS score of 0.78152 (99.52nd percentile) and inclusion in both the CISA Known Exploited Vulnerabilities catalog and the EU Vulnerability Database indicate widespread, active exploitation. Attackers leverage this bypass to improve malware delivery success rates in phishing and drive-by download campaigns.
Exploitation Walkthrough
Ethics caveat: The following description is provided for defensive awareness only. No weaponized exploit code is included.
An attacker crafts a malicious executable (e.g., a signed or specially packaged binary) and delivers it to the victim via phishing email, compromised website, or removable media. When the victim attempts to run the file, the manipulated metadata causes SmartScreen to skip its reputation check and warning dialog. The executable launches directly, giving the user no opportunity to abort. This technique has been observed in the wild to deploy ransomware and information-stealing malware payloads.
Because user interaction is still required (the victim must execute the file), this vulnerability is most effectively exploited in conjunction with convincing social-engineering lures.
Affected and Patched Versions
The following Windows versions are confirmed vulnerable based on CPE data:
Windows 10
- Version 1607
- Version 1809
- Version 20H2
- Version 21H2
- Version 22H2
Windows 11
- Version 21H2
- Version 22H2
Windows Server
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Microsoft released security updates addressing this vulnerability in March 2023. Systems that have installed the March 2023 cumulative security updates (or later) are protected.
Remediation
Primary: Apply the Microsoft security update for March 2023 (or the latest cumulative update) for all affected Windows versions. The official patch guidance is available via the Microsoft Security Response Center:
Compensating Controls:
- Enable Application Control (WDAC/AppLocker) to restrict execution of untrusted binaries.
- Configure Microsoft Defender SmartScreen for Microsoft Edge and Microsoft Store apps to block potentially unwanted apps.
- Use Attack Surface Reduction (ASR) rules, particularly "Block executable content from email client and webmail."
- Train users to avoid executing unexpected email attachments or downloaded files, even if no SmartScreen warning appears.
Detection
Defenders should monitor for:
- Execution of binaries from internet-download locations (e.g.,
Downloadsfolder) without corresponding SmartScreen events in the Windows Event Log. - Anomalous
Event ID 5007(Windows Defender/Security) or missingEvent ID 1116(SmartScreen detections) where they would normally be expected. - Endpoint detection and response (EDR) alerts for unsigned or low-reputation executables launching without user-interaction prompts.
- CISA's KEV catalog cross-referencing for vulnerable asset inventories.
Assessment
CVE-2023-24880 illustrates how a Medium-severity security-feature bypass can become a high-priority threat when paired with aggressive in-the-wild exploitation. The EPSS score of 0.78152 is a strong signal that threat actors have operationalized this flaw at scale. The dual listing in both U.S. (CISA) and EU vulnerability databases underscores its cross-border impact.
Key lessons:
- Security-feature bypasses should not be dismissed solely because of a modest CVSS base score; EPSS and KEV status provide essential context.
- Layered controls — application control, ASR rules, and user awareness — remain critical compensating defenses when patch deployment lags.
References
Frequently asked questions
- What is CVE-2023-24880?
- Windows SmartScreen Security Feature Bypass Vulnerability
- How severe is CVE-2023-24880?
- CVE-2023-24880 has a CVSS 3.x base score of 4.4, rated medium severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is none, integrity low, and availability low.
- Is CVE-2023-24880 being actively exploited?
- Yes. CVE-2023-24880 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-03-14, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-24880?
- CVE-2023-24880 primarily affects Microsoft Windows 10 1607. In total, 10 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-24880?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-24880 have an EU (EUVD) identifier?
- Yes. CVE-2023-24880 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-28870. It is also flagged as exploited in the EUVD (since 2023-03-14).
- When was CVE-2023-24880 published?
- CVE-2023-24880 was published on 2023-03-14 and last updated on 2026-06-17.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24880
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-24880
Affected products (10)
- cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_20h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 10 1607
- CVE-2026-47291 — Critical (CVSS 9.8): Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network.
- CVE-2026-44815 — Critical (CVSS 9.8): Stack-based buffer overflow in Windows DHCP Client allows an unauthorized attacker to execute code over a network.
- CVE-2026-33824 — Critical (CVSS 9.8): Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.
- CVE-2025-60724 — Critical (CVSS 9.8): Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a…
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
- CVE-2025-47981 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over…
All CVEs affecting Microsoft Windows 10 1607 →
Other CWE-863 (Incorrect Authorization) vulnerabilities
- CVE-2026-48286 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization…
- CVE-2026-48303 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization…
- CVE-2026-44330 — Critical (CVSS 10.0): free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the…
- CVE-2026-46595 — Critical (CVSS 10.0): Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of…
- CVE-2026-33105 — Critical (CVSS 10.0): Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over…
- CVE-2026-32213 — Critical (CVSS 10.0): Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.
Browse all CWE-863 (Incorrect Authorization) vulnerabilities →