Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Windows Internet Shortcut Files SmartScreen Security Feature Bypass

IdentifiersCVE-2024-21412CWE-693· Protection Mechanism Failure

CVE-2024-21412 is a Microsoft Windows Internet Shortcut Files security feature bypass vulnerability affecting the handling of specially crafted .url Internet Shortcut files. The flaw allows an unauthenticated attacker to send or host a crafted shortcut file such that, when a user opens or clicks it, Windows/Defender SmartScreen security checks and warning prompts can be bypassed. Reporting cited in the provided content indicates the issue was exploited using Internet Shortcut files that referenced remote content, including chains where a .url pointed to another .url or to attacker-controlled content on a remote SMB/WebDAV location, resulting in execution of the next-stage payload without the expected SmartScreen warning. Multiple sources in the content describe it as a bypass related to the earlier CVE-2023-36025 behavior and note in-the-wild exploitation by Water Hydra/DarkCasino and in DarkGate campaigns.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation bypasses a core Windows trust and warning mechanism for internet-originated files, reducing or eliminating user-facing security prompts that would normally help prevent execution of untrusted content. In observed campaigns, this enabled delivery and execution of malware such as DarkMe and DarkGate, leading to full compromise of the Windows host. The practical impact is therefore indirect but severe: it facilitates initial access, malware execution, credential theft, persistence, and follow-on compromise by removing SmartScreen/MotW-based friction from malicious file execution.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by blocking or tightly controlling delivery and execution of .url Internet Shortcut files from untrusted sources, especially those originating from email, web downloads, SMB shares, and WebDAV locations. Enforce Mark-of-the-Web preservation and inspect/limit execution paths involving shortcut files that reference remote content. Harden email and web filtering to quarantine shortcut-bearing archives and suspicious installer lures, restrict outbound access to untrusted SMB/WebDAV infrastructure where feasible, and use application control to prevent script interpreters and LOLBins from launching follow-on payloads from user-writable locations. User awareness remains relevant because exploitation requires the target to open or click attacker-supplied content.

Remediation

Patch, then assume compromise.

Apply Microsoft's February 2024 security updates that address CVE-2024-21412. CISA added the vulnerability to the KEV catalog and required federal agencies to remediate it by the published deadline; other organizations should likewise prioritize patching. Because the flaw has been exploited in the wild as a zero-day and has been used in malware delivery chains, remediation should include verifying that affected Windows systems have received the relevant cumulative/security updates and that SmartScreen-related protections are functioning as expected after patching.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
CVE-2024-21412_Water-HydraMaturityPoCVerified exploit

This repository demonstrates a proof-of-concept exploit for CVE-2024-21412, targeting Microsoft Windows. The exploit leverages a chain of .url (Internet Shortcut) files and a crafted HTML file to bypass Microsoft Defender SmartScreen and achieve arbitrary code execution via a remote SMB share. The structure includes: - A 'webserver' directory with an HTML file that uses the 'search:' protocol to direct Windows Explorer to a malicious SMB share. - A 'samba-compose' directory with Docker Compose and Samba configuration files, setting up an SMB server with specific shares and user credentials. - The 'pictures' subdirectory contains chained .url files that ultimately point to a CMD script (a2.cmd) inside a ZIP archive on the SMB share. - The 'loader' directory contains the CMD script payload, which demonstrates code execution by launching calc.exe. Commented lines in the script suggest the potential for more advanced payloads, such as DLL injection. The exploit requires the attacker to run both the web server and the Samba server, and the victim to access the malicious HTML or .url files, triggering the exploit chain. The endpoints and configuration files are tailored for a local network (192.168.1.70), but could be adapted for other environments. The repository is a functional POC and does not include weaponized or highly automated payloads.

lsr00terDisclosed Mar 21, 2024batchyamlnetworklocal
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows 10 1809operating_system
Microsoft CorporationWindows 10 21h2operating_system
Microsoft CorporationWindows 10 22h2operating_system
Microsoft CorporationWindows 11 21h2operating_system
Microsoft CorporationWindows 11 22h2operating_system
Microsoft CorporationWindows 11 23h2operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system
Microsoft CorporationWindows Server 2022 23h2operating_system
Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

22 SOURCESView more in app
breakglass intelNews
Mar 7, 2026
Multi-RAT Operation Dismantled: WaterHydra APT Nexus, Five AES Keys Recovered, and Live C2 Infrastructure Mapped Across Three Continents - Breakglass Intelligence - Breakglass Intelligence

A SmartScreen/Mark-of-the-Web bypass vulnerability historically associated in the report with WaterHydra activity; noted as patched by Microsoft in February 2024.

Read more
breakglass intelNews
Mar 7, 2026
WaterHydra Is Back: Tracing a 4-Year DarkMe Builder Through the "vaeeva" OPSEC Failure - Breakglass Intelligence - Breakglass Intelligence

A Windows SmartScreen zero-day / Mark-of-the-Web bypass exploited by WaterHydra/DarkCasino in late 2023 and patched by Microsoft in February 2024.

Read more
cyfirma newsNews
Mar 5, 2026
Weekly Intelligence Report - 05 March 2026 - CYFIRMA

A vulnerability referenced as affecting Internet Shortcut Files security; discussed as one of the exploited vulnerabilities used by FishMonger (aka Earth Lusca).

Read more
greynoise blogNews
Feb 2, 2026
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates

A Microsoft vulnerability that CISA KEV’s knownRansomwareCampaignUse field silently flipped to Known during 2025 (evidence of ransomware campaign use).

Read more
+15 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence9

Every observed campaign linking this CVE to a named adversary.

Associated malware11

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-21412
NVD
nvd.nist.gov/vuln/detail/CVE-2024-21412
MITRE CWE · CWE-693
Protection Mechanism Failure
Patch
msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21412
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21412