HighCISA KEVExploited in the wildPublic exploit

Microsoft Windows Internet Shortcut Files SmartScreen Bypass

IdentifiersCVE-2024-21412CWE-693· Protection Mechanism Failure

CVE-2024-21412 is a Microsoft Windows Internet Shortcut Files security feature bypass vulnerability affecting handling of specially crafted .url shortcut files. The provided content consistently describes the flaw as enabling bypass of Microsoft Defender SmartScreen / Mark-of-the-Web-style security warnings when a user opens or clicks a malicious Internet Shortcut file. Reported exploitation chains used .url files that referenced attacker-controlled remote content over WebDAV, SMB, or UNC paths, including cases where one .url pointed to another remote .url or to script content such as .vbs, .bat, .cmd, or .js. Multiple sources in the content characterize the issue as related to or a bypass of the earlier CVE-2023-36025 protections. In observed campaigns, attackers used phishing lures and fake document or image themes to induce users to open the shortcut, after which Windows Explorer / Internet Shortcut handling could retrieve and execute the next-stage payload without the expected SmartScreen warning flow.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

The vulnerability allows attackers to defeat a core Windows trust and warning mechanism intended to alert users before running untrusted internet-origin content. In practice, this materially lowers the barrier for initial access and malware delivery. The content links exploitation to delivery of DarkMe and DarkGate and notes that successful abuse can lead to full compromise of the Windows host once the follow-on payload executes. Operationally, the impact is not direct memory corruption or privilege escalation by itself, but reliable suppression or bypass of security prompts that would otherwise interrupt execution of attacker-controlled remote content.

Mitigation

If you can’t patch tonight, do this now.

Until patching is complete, reduce exposure by blocking or tightly controlling execution of .url files and remote content launched from WebDAV, SMB, and UNC paths; restrict outbound access to untrusted WebDAV/SMB infrastructure; harden email and web filtering against shortcut-file delivery; and monitor for Explorer, WScript, cmd.exe, mshta, regsvr32, or PowerShell execution originating from DavWWWRoot, WebDAV shares, INetCache, or temporary Tfs_DAV paths. User-awareness controls against fake document/image lures and browser prompts that open Windows Explorer also reduce exploitability. Detection opportunities in the content include proxy telemetry for Microsoft-WebDAV-MiniRedir, process creation involving UNC/DavWWWRoot paths, and temporary file creation under TfsStore\Tfs_DAV.

Remediation

Patch, then assume compromise.

Apply Microsoft's February 2024 security updates that address CVE-2024-21412. The content states Microsoft patched the vulnerability on 2024-02-13 and that CISA added it to the KEV catalog with required remediation timelines for federal agencies. Organizations should prioritize patching all supported Windows systems that process Internet Shortcut files and ensure SmartScreen-related platform updates are fully deployed.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app

CVE-2024-21412_Water-HydraMaturityPoCVerified exploit

This repository demonstrates a proof-of-concept exploit for CVE-2024-21412, targeting Microsoft Windows. The exploit leverages a chain of .url (Internet Shortcut) files and a crafted HTML file to bypass Microsoft Defender SmartScreen and achieve arbitrary code execution via a remote SMB share. The structure includes: - A 'webserver' directory with an HTML file that uses the 'search:' protocol to direct Windows Explorer to a malicious SMB share. - A 'samba-compose' directory with Docker Compose and Samba configuration files, setting up an SMB server with specific shares and user credentials. - The 'pictures' subdirectory contains chained .url files that ultimately point to a CMD script (a2.cmd) inside a ZIP archive on the SMB share. - The 'loader' directory contains the CMD script payload, which demonstrates code execution by launching calc.exe. Commented lines in the script suggest the potential for more advanced payloads, such as DLL injection. The exploit requires the attacker to run both the web server and the Samba server, and the victim to access the malicious HTML or .url files, triggering the exploit chain. The endpoints and configuration files are tailored for a local network (192.168.1.70), but could be adapted for other environments. The repository is a functional POC and does not include weaponized or highly automated payloads.

lsr00terDisclosed Mar 21, 2024batchyamlnetworklocal

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationWindows 10 1809operating_system

Microsoft CorporationWindows 10 21h2operating_system

Microsoft CorporationWindows 10 22h2operating_system

Microsoft CorporationWindows 11 21h2operating_system

Microsoft CorporationWindows 11 22h2operating_system

Microsoft CorporationWindows 11 23h2operating_system

Microsoft CorporationWindows Server 2019operating_system

Microsoft CorporationWindows Server 2022operating_system

Microsoft CorporationWindows Server 2022 23h2operating_system

Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

25 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

25 SOURCESView more in app

breakglass intelNews

Mar 7, 2026

Multi-RAT Operation Dismantled: WaterHydra APT Nexus, Five AES Keys Recovered, and Live C2 Infrastructure Mapped Across Three Continents - Breakglass Intelligence - Breakglass Intelligence

A SmartScreen/Mark-of-the-Web bypass vulnerability historically associated in the report with WaterHydra activity; noted as patched by Microsoft in February 2024.

breakglass intelNews

Mar 7, 2026

WaterHydra Is Back: Tracing a 4-Year DarkMe Builder Through the "vaeeva" OPSEC Failure - Breakglass Intelligence - Breakglass Intelligence

A Windows SmartScreen zero-day / Mark-of-the-Web bypass exploited by WaterHydra/DarkCasino in late 2023 and patched by Microsoft in February 2024.

cyfirma newsNews

Mar 5, 2026

Weekly Intelligence Report - 05 March 2026 - CYFIRMA

A vulnerability referenced as affecting Internet Shortcut Files security; discussed as one of the exploited vulnerabilities used by FishMonger (aka Earth Lusca).

greynoise blogNews

Feb 2, 2026

The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates

A Microsoft vulnerability that CISA KEV’s knownRansomwareCampaignUse field silently flipped to Known during 2025 (evidence of ransomware campaign use).

+16 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence12

Every observed campaign linking this CVE to a named adversary.

Associated malware11

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2024-21412

NVD

nvd.nist.gov/vuln/detail/CVE-2024-21412

MITRE CWE · CWE-693

Protection Mechanism Failure

Patch

msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21412

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21412