The Microsoft Defender SmartScreen Vulnerability CVE-2024-21412

Everything you need to know


CVE-2024-21412 is a critical vulnerability found in Microsoft Defender SmartScreen and discovered by the Trend Micro™ Zero Day Initiative™ (ZDI). The bypass is part of a sophisticated zero-day attack chain by the advanced persistent threat (APT) group we’ve identified as Water Hydra (aka DarkCasino), which previously targeted financial market traders.  We’ve also discovered a second unidentified group exploiting this same vulnerability. 

Patch report

Special Patch Report

ZDI Senior Threat Researcher, Peter Girnus, discusses his findings on CVE-2024-21412, which he found actively exploited in the wild. Find out details about the bug and the threat actors.

Security update

ZDI Security update

Everything about CVE-2024-21412 from our zero day initiative team. 


Threat actors are constantly devising new ways of exploiting gaps to bypass security measures. We found that the bypass of CVE-2023-36025 (a previously patched SmartScreen vulnerability) led to the discovery and exploitation of CVE-2024-21412. This underscores how threat actors can circumvent patches by identifying new vectors of attack around a patched software component.  The users most at risk are customers of Microsoft Windows Defender, and the risk is lower for users with mutlivendor layered security in place.  Trend customers who’ve implemented our IPS (virtual patch) technologies are at the lowest risk.

What to do and what to know?

Trend customers have been protected from CVE-2024-21412 since January 17 thanks to virtual patching and others will be protected once the official patch is released by Microsoft.

While many organizations will be rushing to alarm security operations to test and deploy the official Microsoft patch, which is likely to include a reboot, Trend customers do not need to make any changes to their patch protocol since they are already protected.

For over three decades, Trend has been protecting enterprises from cyber attacks, thwarting both zero-day exploits and N-day vulnerabilities at the earliest stages. The synergistic relationship between the Trend Micro™ Zero Day Initiative™ (ZDI) threat-hunting teams and Trend Micro products allows us to identify new threats in the wild and build proactive protections for our customers.  In 2023, we had active virtual patches on average 51 days ahead of Microsoft patches and, overall, 96 days ahead of all vendors whose bugs were submitted through the program. Trend boasts one of the most substantial vulnerability research organizations worldwide. Leveraging this expertise, we shield our customers from new and existing exploits.

Trend Knowledge Base

Trend Knowledge Base

Comprehensive proactive protection and detection.

Video overview

Video overview

How to take immediate action in response to the ongoing active exploitation of this vulnerability by cybercriminals.

Facts and fixes

Facts and fixes

How to safeguard your customers, employees, and systems from attacks that exploit vulnerabilities.

Protection built on leading technology

Our cybersecurity platform, Trend Vision One™, protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. Rated a leader by Gartner, Forrester, and IDC, our platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response.

What customers say
"We have experienced first-hand the advantages of being under the protective umbrella of Trend Micro. Their unparalleled threat intelligence allows us to be proactively shielded against emerging threats. By implementing their virtual patches, we've managed to stay ahead of potential exploit attempts, securing our systems and allowing our customers to have confidence that their systems are secured long before official patches become available. It's a crucial part of our cybersecurity strategy, giving us peace of mind and significant cost savings in potential breach prevention."
Mark Houpt,