CISA adds Microsoft Windows bugs to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini February 15, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds 2 Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  the following two vulnerabilities to its :

  •  Microsoft Windows Internet Shortcut Files Security Feature Bypass Vulnerability
  •  Microsoft Windows SmartScreen Security Feature Bypass Vulnerability

This week. Microsoft released Patch Tuesday security updates for February 2024 that resolved a total of 72 vulnerabilities, including the above vulnerabilities that are actively exploited in the wild.

Below are the details of the two vulnerabilities:

 (CVSS score 8.1) – Internet Shortcut Files Security Feature Bypass Vulnerability. An unauthenticated attacker can trigger the flaw by sending the victim a specially crafted file that is designed to bypass displayed security checks. The attacker has to trick the victims into clicking the file link. The flaw was reported by:

  •  with 
  • Dima Lenz and Vlad Stolyarov of Google’s Threat Analysis Group
  •  with 

 (CVSS score 7.6) – Windows SmartScreen Security Feature Bypass Vulnerability. An authorized attacker can trigger the flaw to bypass the SmartScreen user experience. The attacker can exploit the vulnerability by sending a malicious file to the user and convincing him to open it.

Trend Micro researchers reported that the flaw CVE-2024-21412 was used in a zero-day attack chain by the APT group Water Hydra.

The popular researcher Will Dormann speculates that CVE-2024-21412 results from the partial fix of the vulnerability CVE-2023-36025. The fix for CVE-2023-36025 didn’t consider the case where a .URL file points to a .URL file, Dormann explained.

According to , FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the  and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 5, 2024.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – Hacking, Known Exploited Vulnerabilities catalog)



you might also like

leave a comment