Cyber Posture

CVE-2025-24061

High

Published: 11 March 2025

Published
11 March 2025
Modified
03 July 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0021 43.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls.

Security Summary

CVE-2025-24061 is a protection mechanism failure in the Windows Mark of the Web (MOTW) feature, enabling an unauthorized attacker to bypass a security feature locally. This vulnerability affects Windows systems and is classified under CWE-693. It received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impacts despite requiring local access and user interaction.

An unauthorized attacker with local access to a vulnerable Windows system can exploit this issue with low attack complexity and no required privileges, though user interaction is necessary. Successful exploitation allows the attacker to bypass MOTW protections, potentially leading to high confidentiality, integrity, and availability impacts, such as executing malicious content that would otherwise be blocked.

Microsoft's update guide provides details on mitigations and patches for this vulnerability at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24061. Security practitioners should consult this advisory for specific remediation steps.

Details

CWE(s)
CWE-693

Affected Products

microsoft
windows 10 1507
≤ 10.0.10240.20947
microsoft
windows 10 1607
≤ 10.0.14393.7876 · ≤ 10.0.14393.7876
microsoft
windows 10 1809
≤ 10.0.17763.7009 · ≤ 10.0.17763.7009
microsoft
windows 10 21h2
≤ 10.0.19044.5608
microsoft
windows 10 22h2
≤ 10.0.19045.5608
microsoft
windows 11 22h2
≤ 10.0.22621.5039
microsoft
windows 11 23h2
≤ 10.0.22631.5039
microsoft
windows 11 24h2
≤ 10.0.26100.3403 · 10.0.26100.3403 — 10.0.26100.3476
microsoft
windows server 2016
≤ 10.0.14393.7876
microsoft
windows server 2019
≤ 10.0.17763.7009
+3 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise Techniques

T1553.005 Mark-of-the-Web Bypass Defense Impairment
Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls.
attack.mitre.org →
Why these techniques?

The vulnerability is a direct bypass of the Windows Mark of the Web (MOTW) protection mechanism, enabling execution of otherwise blocked malicious content; this maps precisely to T1553.005 Mark-of-the-Web Bypass.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References