Microsoft has released a security update to address CVE-2026-45595, a Windows Mark of the Web (MotW) security feature bypass vulnerability, as part of the June 9, 2026 Patch Tuesday. The flaw, rated Important with a CVSS score of 6.8, could allow an attacker to craft a malicious file that evades SmartScreen protections and other downstream security checks that rely on the MotW label. The update is available for all supported editions of Windows 10, Windows 11, and Windows Server, with patches distributed through KB5039212 (Windows 11 24H2), KB5039210 (Windows 11 23H2), KB5039208 (Windows 10 22H2), and corresponding server updates.

The vulnerability lies in how Windows interprets MotW metadata when files are downloaded from untrusted sources. Normally, when a file arrives from the internet, Windows attaches a Zone.Identifier alternate data stream. This tag triggers additional scrutiny: SmartScreen reputation checks for executables, macro-blocking in Office documents, and warnings when unzipped archives contain files from the web. CVE-2026-45595 allows an attacker to strip or corrupt this identifier in certain file types without modifying the file’s content, effectively rendering the file “trusted” from the operating system’s perspective.

Attackers can exploit this flaw by hosting a weaponized file on a website or distributing it via phishing emails. Once downloaded, the file appears to originate from a local zone, bypassing the usual security prompts. For enterprise environments where Group Policy enforces MotW checks for macros, scripts, and executables, this bypass can silently allow code execution, leading to ransomware deployment, credential theft, or lateral movement. The attack surface spans any file type that relies on MotW for protection: .exe, .msi, .docm, .xlsm, .zip, .iso, and even lesser-known containers like .vhd and .vhdx.

Microsoft assessed the attack complexity as low, requiring no user interaction beyond downloading and opening the file. Privileges are not required, though the attacker needs a delivery mechanism. The Exploit Code Maturity indicator is “Proof of Concept,” meaning functional exploit code is likely circulating privately but has not been observed in the wild as of patch release. Still, given past MotW bypasses, weaponization can be rapid. The defense-in-depth nature of MotW means that while it is not a sandbox escape or memory corruption bug, its deactivation strips away a critical layer of warning, allowing other exploits to succeed more easily.

This is not the first time MotW bypasses have surfaced. In 2023, CVE-2023-36584 was patched after attackers used malformed .url files to hide zone identifiers. Another high-profile case involved weaponized .iso and .vhd files that avoided SmartScreen scans. The recurring challenge stems from the complexity of zone identifier propagation. Windows must correctly inherit and preserve the MOTW when files are moved, copied, extracted, or renamed. A logic error in a single API can create a bypass that spans file formats. Security researchers have long argued that MotW is a brittle feature, overly reliant on string-based checks in alternate data streams. Microsoft has gradually hardened these mechanisms but the attack surface is vast.

For the June 2026 patch, Microsoft addressed the vulnerability by strengthening integrity checks on Zone.Identifier streams. Specifically, the update validates that the stream matches an expected format when a file is initially placed on disk and when it is subsequently accessed by applications that request zone information. If the stream is found to be tampered with, Windows now falls back to assuming an internet zone rather than defaulting to local trust. This behavioral change may cause some legitimate files to show additional prompts if their zone identifier metadata has been accidentally corrupted by third-party tools, but Microsoft expects this to be rare.

System administrators should prioritize deployment of the update, particularly on endpoints where users frequently download files from the internet. The patch is cumulative, so installing the June 2026 security update automatically resolves the vulnerability. Microsoft has also released corresponding security updates for Microsoft Edge and Internet Explorer that improve how MotW is assigned to files downloaded via the browser, closing companion vectors. No workarounds are recommended, though disabling automatic opening of downloaded files and enforcing Attack Surface Reduction (ASR) rules regarding Office macros and untrusted files can provide additional defense-in-depth.

For Windows 11 24H2, the update brings the OS build to 26100.1457. It does not introduce any known issues beyond a minor cosmetic bug where the File Explorer status bar occasionally fails to refresh zone information for newly extracted archives. Microsoft expects to resolve that in a July cumulative update. Windows 10 22H2, now in its final year of mainstream support, received build 19045.4842; this patched version will be required for organizations planning to enroll in the Extended Security Update (ESU) program in 2027.

Enterprise customers using Microsoft Defender for Endpoint will see the vulnerability reflected as an active alert if exploitation is attempted post-patching, as the behavioral engine can detect attempts to craft modified Zone.Identifier streams. Additionally, Microsoft 365 Defender now includes an assessment for CVE-2026-45595 in its threat and vulnerability management dashboard, flagging unpatched machines.

The patch cycle also addressed 48 other vulnerabilities, but CVE-2026-45595 stands out due to its low complexity and the ubiquitous nature of MotW. Security researchers applaud the fix but caution that MotW bypasses will continue to be a cat-and-mouse game. The fundamental issue—that Windows must trust metadata that is stored in a user-writable attribute—makes it inherently fragile. Some suggest moving toward cryptographic signing of zone information, but that would break compatibility with countless legacy applications. For now, the patch is a critical stopgap.

Users should apply the update through Windows Update or download it from the Microsoft Update Catalog. The update requires a reboot. Microsoft’s Security Update Guide entry for CVE-2026-45595 provides technical details and proof-of-concept restrictions, withholding full exploit code under responsible disclosure norms. Security teams are advised to review the CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, which reflects high impact on confidentiality, integrity, and availability, though the user interaction requirement (the victim must open the file) keeps the base score at 6.8.

Looking ahead, Microsoft is expected to further harden MotW in the Windows 11 25H2 release scheduled for late 2026, possibly integrating zone identifiers into the ReFS file system’s integrity streams for tamper resistance. Until then, patching remains the primary defense. As always, security professionals must treat MotW as a signal, not a security boundary. Layered defenses, user education, and prompt patch deployment form the best strategy against bypasses like CVE-2026-45595.