Microsoft Patches Repeated Windows Mark-of-the-Web and SmartScreen Bypass Flaws
Microsoft has disclosed a sustained series of security feature bypass vulnerabilities across Windows and related components, with multiple advisories tied to Mark of the Web (MotW), SmartScreen, MapUrlToZone, Windows shortcut handling, and security zone mapping. The most detailed recent case, CVE-2026-32225, affects Windows Shell and allows attackers to bypass SmartScreen protections that rely on MotW by persuading a user to open a specially crafted .lnk file. Microsoft said successful exploitation could cause Windows to launch commands or Control Panel applets without proper MotW handling, potentially enabling arbitrary command execution or the loading of attacker-controlled DLLs; the flaw was rated Important, assigned a CVSS 8.8, marked as more likely to be exploited, and fixed at disclosure.
The newer Windows Shell issue follows a broader pattern of Microsoft fixes for related bypasses, including CVE-2022-44698 in Windows SmartScreen; CVE-2023-36564 in Windows Search; CVE-2023-36584, CVE-2024-38217, and CVE-2024-43487 in Windows Mark of the Web; CVE-2024-30073 in Windows Security Zone Mapping; CVE-2025-21328, CVE-2025-21329, and CVE-2025-21332 in MapUrlToZone; and CVE-2025-47160 in Windows Shortcut Files. Additional bypass advisories affected Microsoft products including Publisher, Office Developer Platform, PowerShell, Kerberos, Windows Hello, Surface, and PC Manager, underscoring Microsoft's continued effort to close gaps in trust labeling and execution safeguards that attackers can abuse to reduce warnings and increase the success of social-engineering attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
16 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses PowerShell and Windows Shell bypass flaws
Microsoft published CVE-2026-26143 and CVE-2026-32225, covering Microsoft PowerShell and Windows Shell security feature bypass vulnerabilities. For CVE-2026-32225, Microsoft said exploitation was more likely, credited Jeong Lee, and released a fix at disclosure.
Microsoft discloses CVE-2025-53139 Windows Hello bypass
Microsoft published CVE-2025-53139, a Windows Hello security feature bypass vulnerability.
Microsoft discloses CVE-2025-49728 PC Manager bypass
Microsoft published CVE-2025-49728, a Microsoft PC Manager security feature bypass vulnerability.
Microsoft discloses CVE-2025-49756 Office Developer Platform bypass
Microsoft published CVE-2025-49756, an Office Developer Platform security feature bypass vulnerability.
Microsoft discloses CVE-2025-47160 shortcut files bypass
Microsoft published CVE-2025-47160, a Windows Shortcut Files security feature bypass vulnerability.
Microsoft discloses CVE-2025-21247 MapUrlToZone bypass
Microsoft published CVE-2025-21247, a MapUrlToZone Security Feature Bypass Vulnerability, in its Security Update Guide. This adds a separate March 2025 bypass advisory not previously listed in the timeline.
Microsoft discloses CVE-2025-26633 MMC bypass
Microsoft published CVE-2025-26633, a Microsoft Management Console security feature bypass vulnerability, in its Security Update Guide. The disclosure adds a new March 2025 bypass advisory not previously captured in the timeline.
Microsoft discloses CVE-2025-21359 Windows Kernel bypass
Microsoft published CVE-2025-21359, a Windows Kernel security feature bypass vulnerability, in its Security Update Guide.
Microsoft discloses CVE-2025-21194 Surface bypass
Microsoft published CVE-2025-21194, a Microsoft Surface security feature bypass vulnerability, in its Security Update Guide.
Microsoft discloses Kerberos and MapUrlToZone bypass flaws
Microsoft published CVE-2025-21299, CVE-2025-21328, CVE-2025-21329, and CVE-2025-21332, covering Windows Kerberos and multiple MapUrlToZone security feature bypass vulnerabilities.
Microsoft discloses multiple Windows and Office bypass flaws
Microsoft published CVE-2024-30073, CVE-2024-38217, CVE-2024-38226, and CVE-2024-43487, covering Security Zone Mapping, Mark of the Web, Microsoft Publisher, and another Mark of the Web security feature bypass vulnerability. These advisories were released together on the same date.
Microsoft discloses CVE-2024-29988 SmartScreen Prompt bypass
Microsoft published CVE-2024-29988, a SmartScreen Prompt Security Feature Bypass Vulnerability, in its Security Update Guide. This adds a separate April 2024 bypass advisory not previously captured in the timeline.
Microsoft discloses CVE-2024-21362 Windows Kernel bypass
Microsoft published CVE-2024-21362, a Windows Kernel security feature bypass vulnerability, in the Security Update Guide.
Microsoft discloses CVE-2023-36584 Mark of the Web bypass
Microsoft published CVE-2023-36584, a Windows Mark of the Web security feature bypass vulnerability, on the same Patch Tuesday release cycle.
Microsoft discloses CVE-2023-36564 Windows Search bypass
Microsoft published CVE-2023-36564, a Windows Search security feature bypass vulnerability, in its Security Update Guide.
Microsoft discloses CVE-2022-44698 SmartScreen bypass
Microsoft published guidance for CVE-2022-44698, a Windows SmartScreen security feature bypass vulnerability. This marks the earliest referenced disclosure in the set.
Sources
25 references tracked. Mallory keeps watching after this page renders.
CVE-2026-26143 - Security Update Guide - Microsoft - Microsoft PowerShell Security Feature Bypass Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-32225 - Security Update Guide - Microsoft - Windows Shell Security Feature Bypass Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-53139 - Security Update Guide - Microsoft - Windows Hello Security Feature Bypass Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-49728 - Security Update Guide - Microsoft - Microsoft PC Manager Security Feature Bypass Vulnerability
msrc.microsoft.com
Open sourceCVE-2023-36584 - Security Update Guide - Microsoft - Windows Mark of the Web Security Feature Bypass Vulnerability
msrc.microsoft.com
Open sourceCVE-2023-36564 - Security Update Guide - Microsoft - Windows Search Security Feature Bypass Vulnerability
msrc.microsoft.com
Open sourceCVE-2023-36584 - Security Update Guide - Microsoft - Windows Mark of the Web Security Feature Bypass Vulnerability
msrc.microsoft.com
Open sourceCVE-2022-44698 - Security Update Guide - Microsoft - Windows SmartScreen Security Feature Bypass Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patch Tuesday Fixes Six Actively Exploited Zero-Days Including Windows Shell SmartScreen Bypass
Microsoft released its February Patch Tuesday security updates addressing **~58–59 vulnerabilities** across Windows and other products, including **six zero-day flaws confirmed as actively exploited in the wild** and **five Critical** issues. Reported vulnerability classes were led by **Elevation of Privilege (25)**, followed by **Remote Code Execution (12)** and **Security Feature Bypass (5)**, with additional fixes for spoofing, information disclosure, DoS, and XSS; Microsoft also noted additional *Edge* fixes shipped outside the prior Patch Tuesday cadence, including an Android spoofing issue (`CVE-2026-0391`). One of the actively exploited zero-days highlighted across reporting is `CVE-2026-21510`, a **Windows Shell security feature bypass** that can be abused to evade **Mark-of-the-Web/SmartScreen-style warnings** by using specially crafted files (e.g., shortcut/link formats) so that untrusted content can execute without expected prompts, making it well-suited to phishing and social-engineering delivery. Separate coverage also noted Microsoft’s rollout of **updated Secure Boot certificates** ahead of the June 2026 expiration of legacy 2011 certificates, a change with broad implications for Windows boot integrity and enterprise device management.
Mar 21, 2026
Microsoft disclosed SmartScreen and Office security feature bypass flaws
Microsoft published advisories for multiple **security feature bypass** vulnerabilities affecting Windows and Office components, including `CVE-2023-36025` in **Windows SmartScreen**, `CVE-2023-36413` in **Microsoft Office**, `CVE-2023-21715` in **Microsoft Publisher**, and `CVE-2026-21514` in **Microsoft Word**. The flaws were categorized as bypass issues rather than direct remote code execution bugs, indicating attackers could evade built-in protections intended to warn users or restrict unsafe content. The disclosures show a recurring pattern across Microsoft products in which trust and warning mechanisms can be circumvented, potentially increasing the success of phishing, malicious document delivery, and other social-engineering attacks. Organizations relying on SmartScreen and Office security controls should review the relevant Microsoft Security Update Guide entries for affected products and ensure patches are applied to reduce the risk of users opening files or content that bypass normal safeguards.
May 25, 2026
Microsoft Patches Windows Internet Shortcut RCE Exploited via Malicious URL Files
Microsoft disclosed **CVE-2025-33053**, an **Important** remote code execution flaw in **Internet Shortcut Files** that affects all supported versions of Windows and carries a **CVSS 8.8** rating. The vulnerability is tied to **CWE-73** (external control of file name or path) and can let an unauthenticated attacker execute code over a network if a user clicks a specially crafted URL. Microsoft said the bug had been **exploited in the wild**, that **functional exploit code** was available, and that security updates had been released. The advisory said the issue has implications beyond legacy browser use because underlying **MSHTML**, **EdgeHTML**, and scripting components remain supported on some platforms and are still used by **Internet Explorer mode**, the **WebBrowser control**, **WebView**, and some **UWP** applications. Microsoft also noted that **IE cumulative updates** still matter for certain older Windows Server systems, and later revised the advisory to correct the CVE title and description without changing the technical impact. Related Microsoft advisories show the flaw joins a broader pattern of remote code execution risks across Windows and server products, including **MSHTML**, **Hyper-V**, **Exchange Server**, and **SharePoint Server**.
May 25, 2026