CVE-2026-45595: Windows 10 1607 Auth Bypass Vulnerability

CVE-2026-45595 Overview

CVE-2026-45595 is a security feature bypass affecting the Windows Mark of the Web (MOTW) protection mechanism. The flaw allows an unauthenticated attacker to circumvent MOTW checks over a network when a user opens a crafted file. MOTW is the metadata tag Windows applies to files downloaded from the internet, triggering SmartScreen, Protected View, and execution warnings. When the tag is missing or stripped, downstream security controls do not activate. Microsoft tracks the weakness under CWE-693: Protection Mechanism Failure. The issue affects supported Windows 10, Windows 11, and Windows Server editions.

Critical Impact

Successful exploitation lets attackers deliver files that bypass SmartScreen and Protected View, removing a key safeguard against phishing payloads and malicious documents.

Affected Products

• Microsoft Windows 10 (1607, 1809, 21H2, 22H2) — x86, x64, ARM64
• Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) — x64, ARM64
• Microsoft Windows Server 2012 R2, 2016, 2019, 2022, and 2025

Discovery Timeline

• 2026-06-09 - CVE-2026-45595 published to NVD
• 2026-06-11 - Last updated in NVD database

Technical Details for CVE-2026-45595

Vulnerability Analysis

Windows applies the MOTW tag through the Zone.Identifier Alternate Data Stream (ADS) on files arriving from untrusted sources. Applications such as Microsoft Office, Windows Explorer, and SmartScreen read this stream to decide whether to enable Protected View, block macros, or warn the user before execution. CVE-2026-45595 breaks that contract: a network-delivered file reaches the user without a valid Zone.Identifier stream attached, so the trust prompts never fire.

The vulnerability requires user interaction (UI:R in the CVSS vector) and yields limited integrity and availability impact. However, it serves as an enabler for follow-on payloads. Attackers commonly chain MOTW bypasses with macro-laden documents, LNK files, or script handlers to gain code execution under the user context. The EPSS score for this CVE sits at 0.082%.

Root Cause

The root cause is a protection mechanism failure (CWE-693) in the propagation of zone identifiers when files traverse certain container or transport formats. Windows fails to copy or preserve the MOTW tag onto extracted or referenced files, leaving them indistinguishable from locally created content.

Attack Vector

An attacker hosts a malicious file on a network share or web resource and convinces a user to open it. Because the file lacks the MOTW marker, SmartScreen does not screen the hash, Office opens the document outside Protected View, and macros or script content execute without the standard untrusted-source warning. The attack vector is network-based and requires no privileges, only that the victim opens the delivered file.

No verified public proof-of-concept code is available for CVE-2026-45595 at this time. Refer to the Microsoft CVE-2026-45595 Advisory for vendor technical details.

Detection Methods for CVE-2026-45595

Indicators of Compromise

• Files originating from network shares, archives, or downloads that are missing the Zone.Identifier Alternate Data Stream when one would be expected.
• Office documents executing macros without prompting Protected View, despite being sourced from an external location.
• Unexpected child processes (cmd.exe, powershell.exe, wscript.exe) spawned from winword.exe, excel.exe, or explorer.exe after a user opens a downloaded file.

Detection Strategies

• Hunt for process executions launched from user download paths (%USERPROFILE%\Downloads, %TEMP%) where the parent file has no Zone.Identifier stream.
• Correlate browser, email client, or SMB file-write events with subsequent execution of those files to surface MOTW propagation gaps.
• Alert on container formats (ISO, IMG, VHD, 7z, RAR) being mounted or extracted followed by execution of contained binaries or scripts.

Monitoring Recommendations

• Enable Microsoft Defender SmartScreen logging and Windows Attack Surface Reduction (ASR) telemetry across all endpoints.
• Forward Sysmon Event ID 15 (FileCreateStreamHash) to your SIEM to track Zone.Identifier creation patterns.
• Audit Office Trust Center logs for documents that bypassed Protected View despite being delivered through email or web channels.

How to Mitigate CVE-2026-45595

Immediate Actions Required

• Apply the June 2026 Microsoft security update for all affected Windows 10, Windows 11, and Windows Server builds listed in the advisory.
• Verify that Microsoft Defender SmartScreen is enabled for Explorer and Edge across the fleet through Group Policy or Intune.
• Block or restrict the use of container file formats (ISO, IMG, VHD) at email gateways and web proxies until patching completes.

Patch Information

Microsoft published the official fix in the Microsoft CVE-2026-45595 Advisory. Deploy the cumulative update corresponding to each affected Windows version through Windows Update, WSUS, or your preferred patch management tooling. Confirm patch installation by checking the build number against the KB listed in the advisory.

Workarounds

• Configure Office applications to Block macros from running in Office files from the Internet via Group Policy, even on files missing MOTW.
• Enable ASR rules including Block executable content from email client and webmail and Block untrusted and unsigned processes that run from USB.
• Train users to right-click downloaded files, select Properties, and verify the Unblock option appears before opening sensitive content from external sources.

# Group Policy registry settings to harden against MOTW bypass
# Force Office to treat files from the Internet zone as untrusted
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security" /v BlockContentExecutionFromInternet /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security" /v BlockContentExecutionFromInternet /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security" /v BlockContentExecutionFromInternet /t REG_DWORD /d 1 /f

# Enable SmartScreen for Explorer
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v ShellSmartScreenLevel /t REG_SZ /d "Block" /f