The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2023-36805

CVE-2023-36805: Windows MSHTML Auth Bypass Vulnerability

CVE-2023-36805 is an authentication bypass vulnerability in Windows MSHTML Platform affecting Windows 10 1507 that allows attackers to circumvent security features. This article covers technical details, impact, and mitigation.

Published: February 4, 2026

CVE-2023-36805 Overview

CVE-2023-36805 is a security feature bypass vulnerability affecting the Windows MSHTML Platform, the core rendering engine used by Internet Explorer and legacy web content in Windows. This vulnerability allows attackers to bypass security protections implemented in the MSHTML platform, potentially enabling the execution of malicious content that would otherwise be blocked by Windows security mechanisms.

The MSHTML platform remains a critical component in Windows systems as it handles rendering of web content in various applications beyond just Internet Explorer, including Microsoft Office documents with embedded web content and other legacy applications.

Critical Impact

Successful exploitation of this vulnerability could allow attackers to bypass security features designed to protect users from malicious web content, potentially leading to arbitrary code execution on affected systems.

Affected Products

  • Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
  • Microsoft Windows 11 (versions 21H2, 22H2)
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2022

Discovery Timeline

  • September 12, 2023 - CVE-2023-36805 published to NVD
  • April 8, 2025 - Last updated in NVD database

Technical Details for CVE-2023-36805

Vulnerability Analysis

This security feature bypass vulnerability exists in the Windows MSHTML Platform, which is responsible for rendering HTML content and executing scripts in Internet Explorer and legacy applications. The vulnerability is classified under CWE-77 (Command Injection), indicating that the flaw may allow attackers to inject and execute commands by circumventing security controls.

The attack requires local access to the target system and user interaction, meaning an attacker would need to convince a user to open a specially crafted file or visit a malicious website. Despite these prerequisites, successful exploitation can result in high impact to confidentiality, integrity, and availability of the affected system.

Root Cause

The root cause of CVE-2023-36805 lies in improper validation or enforcement of security features within the MSHTML rendering engine. The platform fails to adequately enforce security boundaries in certain scenarios, allowing specially crafted content to bypass protections that would normally prevent execution of potentially malicious code or commands.

Attack Vector

The vulnerability requires a local attack vector with high complexity. An attacker must craft malicious content specifically designed to exploit the security feature bypass. The attack chain typically involves:

  1. The attacker creates a specially crafted document or web content that exploits the MSHTML security bypass
  2. The victim must be convinced to open the malicious content (requiring user interaction)
  3. Upon opening, the MSHTML platform processes the content and fails to properly enforce security restrictions
  4. The attacker's payload bypasses security features, potentially leading to command execution with the privileges of the current user

The vulnerability mechanism exploits weaknesses in how the MSHTML platform validates and enforces security policies. Technical details regarding the specific bypass technique can be found in the Microsoft Security Update Guide.

Detection Methods for CVE-2023-36805

Indicators of Compromise

  • Unusual mshta.exe process spawning or executing unexpected commands
  • Internet Explorer or MSHTML-based applications accessing suspicious URLs or local files
  • Anomalous child processes spawned from iexplore.exe or applications using the MSHTML engine
  • Registry modifications related to Internet Explorer or MSHTML security settings

Detection Strategies

  • Monitor process creation events for mshta.exe with unusual command-line arguments
  • Implement behavioral detection for MSHTML-based applications spawning unexpected child processes
  • Deploy endpoint detection rules to identify attempts to bypass Internet Explorer security zones
  • Analyze network traffic for connections initiated by legacy IE components to untrusted destinations

Monitoring Recommendations

  • Enable Windows Event logging for process creation (Event ID 4688) with command-line auditing
  • Configure SentinelOne Singularity Platform to monitor MSHTML-related process activity and behavioral anomalies
  • Implement file integrity monitoring for critical MSHTML-related system files
  • Review application logs for errors or warnings related to security zone violations

How to Mitigate CVE-2023-36805

Immediate Actions Required

  • Apply Microsoft's security updates for September 2023 Patch Tuesday immediately
  • Review and restrict the use of Internet Explorer and MSHTML-based applications where possible
  • Educate users about the risks of opening untrusted documents or clicking suspicious links
  • Enable Protected Mode and Enhanced Protected Mode in Internet Explorer if still in use

Patch Information

Microsoft has released security updates addressing CVE-2023-36805 as part of their September 2023 security update cycle. Administrators should consult the Microsoft Security Update Guide for CVE-2023-36805 for specific patch information and KB article numbers for each affected product.

Organizations should prioritize patching based on their exposure to MSHTML-based content and the criticality of affected systems. Windows Update, Windows Server Update Services (WSUS), or Microsoft Endpoint Configuration Manager can be used to deploy the patches.

Workarounds

  • Restrict or disable Internet Explorer and MSHTML-based applications where feasible
  • Implement application allowlisting to prevent unauthorized execution of mshta.exe
  • Configure Group Policy to enforce strict Internet Explorer security zone settings
  • Deploy network-level filtering to block access to known malicious content sources
bash
# Restrict mshta.exe execution via Windows Defender Application Control
# Add to WDAC policy file to block mshta.exe
# Create a deny rule for mshta.exe in your organization's WDAC policy

# Alternative: Use Group Policy to restrict MSHTML
# Navigate to: Computer Configuration > Administrative Templates > Windows Components > Internet Explorer
# Enable "Turn off the Security Settings Check feature" and configure security zones appropriately

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechWindows
  • SeverityHIGH
  • CVSS Score7.0
  • EPSS Probability0.22%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityHigh
  • AvailabilityHigh
  • CWE References
  • CWE-77
  • NVD-CWE-noinfo
  • Vendor Resources
  • Microsoft Security Update CVE-2023-36805
  • Related CVEs
  • CVE-2026-23656: Windows App Authentication Bypass Flaw
  • CVE-2026-23674: Windows MapUrlToZone Auth Bypass Flaw
  • CVE-2020-1464: Windows 10 1507 Auth Bypass Vulnerability
  • CVE-2026-21255: Windows 10 1607 Auth Bypass Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English