{"uuid": "6ae64542-575a-4cdd-9086-42170cbc36df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-24061", "type": "seen", "source": "https://infosec.exchange/users/wdormann/statuses/116755475429413960", "content": "I just realized that I'm personally \"credited\" in April's Microsoft Patch Tuesday with a CVE-less \"Defense-in-depth\" update.\nThe vulnerability?CAB files downloaded from the internet do not write the MotW for files extracted from them.\nI reported this to MSRC, and after refusing to generate a screen recording of the exploit (I mean, really?!), they finally acknowledged the problem. However, they went radio silent after that.\nMark of the Web (MotW) evasions have gotten CVEs in the past. If we look in the last 2 years we have: CVE-2024-38213, CVE-2024-38217, CVE-2024-43487, CVE-2025-24061, CVE-2025-27472, CVE-2025-47160, CVE-2025-49740, CVE-2026-20824, CVE-2026-32225, CVE-2026-45595\nSo, why does \"Windows doesn't write MotW for extracted CAB file contents\" get a CVE?  Well, Microsoft is a CNA.  So for the most part they can invent any rules that they'd like to play by.  It could be as simple as \"We're not particularly fond of you\", and as a result, we have a vulnerability with no ID to track it.\nHere's a screen recording of a VM with March's Patch Tuesday level of updates.  When you extract a file from a CAB file, no MotW is written.  And as such, we get no protections that leverage the presence of MotW, such as SmartScreen, Smart Application Control, Office Protected View.  In this case, we have a .URL file in a CAB.  Double clicking on it results in a remote EXE running on your computer with no warning or other prompts.  But, I suppose we all know that URL files are evil and have them blocked.", "creation_timestamp": "2026-06-15T18:12:54.685854Z"}