Attacker Value

Very High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2023-36884

Disclosure Date: July 11, 2023 •

CVE-2023-36884 CVSS v3 Base Score: 7.5

Exploited in the Wild

Reported by mkienow-r7
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Windows Search Remote Code Execution Vulnerability

Add Assessment

cbeek-r7 (99)

August 24, 2023 1:46pm UTC (8 months ago)•

Ratings

Attacker Value

Very High

Exploitability

Very High

Common in enterprise Easy to weaponize Observed in nation state sponsored attacks Unauthenticated

Technical Analysis

CVE-2023-36884 is a fixed vulnerability that permitted remote code execution. Attackers could manipulate Microsoft Office files to bypass the Mark of the Web (MoTW) security mechanism. This bypass allowed these documents to be accessed without a security prompt, facilitating remote code execution. In response to the once-mitigated but still exploited CVE-2023-36884 weakness, Microsoft rolled out an Office Defense in Depth patch as part of August 2023 Patch Tuesday.

The Russian cyber group, Storm-0978/RomCom, has been actively exploiting this flaw.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

5.9

Exploitability Score:

1.6

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

High

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

General Information

Offensive Application

Unknown

Utility Class

Unknown

Ports

Unknown

Vulnerable Versions

Windows 10 Version 1809 10.0.17763.4737

Windows Server 2019 10.0.17763.4737

Windows Server 2019 (Server Core installation) 10.0.17763.4737

Windows Server 2022 10.0.20348.1906

Windows 11 version 21H2 10.0.22000.2295

Windows 10 Version 21H2 10.0.19044.3324

Windows 11 version 22H2 10.0.22621.2134

Windows 10 Version 22H2 10.0.19045.3324

Windows 10 Version 1507 10.0.10240.20107

Windows 10 Version 1607 10.0.14393.6167

Windows Server 2016 10.0.14393.6167

Windows Server 2016 (Server Core installation) 10.0.14393.6167

Windows Server 2008 Service Pack 2 6.0.6003.22216

Windows Server 2008 Service Pack 2 (Server Core installation) 6.0.6003.22216

Windows Server 2008 Service Pack 2 6.0.6003.22216

Windows Server 2008 R2 Service Pack 1 6.1.7601.26664

Windows Server 2008 R2 Service Pack 1 (Server Core installation) 6.1.7601.26664

Windows Server 2012 6.2.9200.24414

Windows Server 2012 (Server Core installation) 6.2.9200.24414

Windows Server 2012 R2 6.3.9600.21503

Windows Server 2012 R2 (Server Core installation) 6.3.9600.21503

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

Unknown

Reporter

Unknown

Vendors

microsoft

Products

office 2019,
office 2021,
windows 10 1507 -,
windows 10 1607 -,
windows 10 1809 -,
windows 10 21h2 -,
windows 10 22h2 -,
windows 11 21h2 -,
windows 11 22h2,
windows server 2008 -,
windows server 2008 r2,
windows server 2012 -,
windows server 2012 r2,
windows server 2016 -,
windows server 2019 -,
windows server 2022 -,
word 2013,
word 2016

Exploited in the Wild

Reported by:

mkienow-r7 indicated sources as

Vendor Advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884)
Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/07/17/cisa-adds-one-known-exploited-vulnerability-catalog)

Reported: July 17, 2023 10:37pm UTC (9 months ago)

References

Canonical

CVE-2023-36884 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36884)

Exploit

The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.

CVE-2023-36884-Scripts-for-Intune-Remediation-SCCM-Compliance-Baseline (https://github.com/Maxwitat/CVE-2023-36884-Scripts-for-Intune-Remediation-SCCM-Compliance-Baseline)

CVE-2023-36884 (https://github.com/zerosorai/CVE-2023-36884)

Miscellaneous

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

http://seclists.org/fulldisclosure/2023/Jul/43

Rapid7

Very High

CVE-2023-36884

Very High

Very High

Required

None

Network

CVE-2023-36884

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Exploited in the Wild

References

Canonical

Exploit

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification