Known Exploited Vulnerability
7.5
HIGH
CVE-2023-36884
Microsoft Windows Search Remote Code Execution Vul - [Actively Exploited]
Description

Windows Search Remote Code Execution Vulnerability

INFO

Published Date :

July 11, 2023, 7:15 p.m.

Last Modified :

June 27, 2024, 6:59 p.m.

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

1.6
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Microsoft Windows Search contains an unspecified vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a specially crafted malicious file, leading to remote code execution.

Required Action :

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Notes :

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

Public PoC/Exploit Available at Github

CVE-2023-36884 has a 16 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2023-36884 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Microsoft windows_server_2008
2 Microsoft windows_server_2012
3 Microsoft windows_server_2016
4 Microsoft office
5 Microsoft word
6 Microsoft windows_server_2019
7 Microsoft windows_10_1607
8 Microsoft windows_10_1809
9 Microsoft windows_10_21h2
10 Microsoft windows_10_22h2
11 Microsoft windows_server_2022
12 Microsoft windows_11_21h2
13 Microsoft windows_11_22h2
14 Microsoft windows_11
15 Microsoft windows_10_1507
16 Microsoft windows_server_2012_r2
17 Microsoft windows_server_2008_r2
18 Microsoft windows_server_2008_sp2
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2023-36884.

URL Resource
http://seclists.org/fulldisclosure/2023/Jul/43 Broken Link Mailing List Third Party Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 Patch Vendor Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

A wildly opinionated Python 3 library for working with the CISA Known Exploited Vulnerabilities (KEV) catalog

Python Makefile

Updated: 4 months, 2 weeks ago
3 stars 0 fork 0 watcher
Born at : Jan. 9, 2024, 5:51 p.m. This repo has been linked 11 different CVEs too.

MS Office and Windows HTML RCE (CVE-2023-36884) - PoC and exploit

Python

Updated: 2 months ago
35 stars 10 fork 10 watcher
Born at : Sept. 28, 2023, 11:53 a.m. This repo has been linked 1 different CVEs too.

#comeonits2023 #ie9 #Storm-0978

Updated: 1 year, 3 months ago
1 stars 1 fork 1 watcher
Born at : July 30, 2023, 2:53 p.m. This repo has been linked 1 different CVEs too.

None

PowerShell

Updated: 1 year, 3 months ago
3 stars 0 fork 0 watcher
Born at : July 28, 2023, 8:39 p.m. This repo has been linked 1 different CVEs too.

PowerShell Script for initial mitigation of vulnerability

Updated: 1 year, 3 months ago
0 stars 0 fork 0 watcher
Born at : July 20, 2023, 9:10 p.m. This repo has been linked 1 different CVEs too.

CVE-2023-36884 临时补丁

C#

Updated: 1 year, 3 months ago
0 stars 0 fork 0 watcher
Born at : July 18, 2023, 6:22 a.m. This repo has been linked 1 different CVEs too.

Script to check for CVE-2023-36884 hardening

cybersecurity hardening microsoft powershell security windows cve-2023-36884

PowerShell

Updated: 2 months, 1 week ago
14 stars 2 fork 2 watcher
Born at : July 17, 2023, 2:02 p.m. This repo has been linked 1 different CVEs too.

This is an emergency solution while Microsoft addresses the vulnerability.

C#

Updated: 6 months ago
3 stars 2 fork 2 watcher
Born at : July 15, 2023, 4:56 p.m. This repo has been linked 1 different CVEs too.

Recent Campaign abusing CVE-2023-36884

Updated: 1 year, 2 months ago
1 stars 0 fork 0 watcher
Born at : July 13, 2023, 12:54 p.m. This repo has been linked 1 different CVEs too.

The remediation script should set the reg entries described in https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 . The detection script checks if they exist. Provided AS-IS without any warrenty.

PowerShell

Updated: 8 months, 2 weeks ago
22 stars 3 fork 3 watcher
Born at : July 12, 2023, 2:13 p.m. This repo has been linked 1 different CVEs too.

A home for detection content developed by the delivr.to team

YARA

Updated: 2 months ago
56 stars 5 fork 5 watcher
Born at : Feb. 8, 2023, 5:38 p.m. This repo has been linked 3 different CVEs too.

A collection of Message Filters for Cisco Secure Email Gateway (fka Email Security Appliance) focused on document-based threats.

Updated: 1 year, 7 months ago
1 stars 0 fork 0 watcher
Born at : Jan. 26, 2023, 4 p.m. This repo has been linked 3 different CVEs too.

None

Python HTML

Updated: 2 months, 3 weeks ago
19 stars 0 fork 0 watcher
Born at : Jan. 14, 2023, 8:36 p.m. This repo has been linked 10 different CVEs too.

Free and libre source BadUSB payloads for Flipper Zero. [Windows, GNU/Linux, iOS]

flipper-zero flipperzero flipper-badusb flipper-zero-payload hak5 rubberducky badusb duckyscript linux open-source windows free badusb-payloads free-payloads ios iphone

PowerShell Python Shell HTML JavaScript TeX

Updated: 1 month, 4 weeks ago
1055 stars 70 fork 70 watcher
Born at : Jan. 4, 2023, 10:05 a.m. This repo has been linked 5 different CVEs too.

Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.

cisa-kev vulnerability 0day cisa exploits

Updated: 1 month, 4 weeks ago
516 stars 32 fork 32 watcher
Born at : April 19, 2022, 8:58 a.m. This repo has been linked 1181 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2023-36884 vulnerability anywhere in the article.

  • Cybersecurity News
RomCom Group’s Underground Ransomware Exploits Microsoft Zero-Day Flaw

The data leak site for Underground ransomwareFortiGuard Labs found a new ransomware variant, Underground, that has been linked to the Russia-based RomCom group (also known as Storm-0978). This insidio ... Read more

Published Date: Sep 04, 2024 (2 months ago)
  • Kaspersky
Exploits and vulnerabilities in Q2 2024

Q2 2024 was eventful in terms of new interesting vulnerabilities and exploitation techniques for applications and operating systems. Attacks through vulnerable drivers have become prevalent as a gener ... Read more

Published Date: Aug 21, 2024 (2 months, 2 weeks ago)
  • 0patch.com
Micropatches Released For Windows Search Remote Code Execution (CVE-2023-36884)

Alongside July 2023 Windows Updates, Microsoft revealed the existence of a 0day that was detected in the wild and assigned it CVE-2023-36884. Without issuing a patch, they titled their original adviso ... Read more

Published Date: Sep 06, 2023 (1 year, 1 month ago)

The following table lists the changes that have been made to the CVE-2023-36884 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    Jun. 27, 2024

    Action Type Old Value New Value
    Removed CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    Added CVSS V3.1 NIST AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
    Removed CWE NIST NVD-CWE-noinfo
    Added CWE NIST CWE-362
    Removed CPE Configuration OR *cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:* *cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:* *cpe:2.3:a:microsoft:office:2021:*:*:*:ltsc:*:x64:* *cpe:2.3:a:microsoft:office:2021:*:*:*:ltsc:*:x86:* *cpe:2.3:a:microsoft:word:2013:sp1:*:*:*:*:*:* *cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_11:22h2:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_11:22h2:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*
    Added CPE Configuration OR *cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.10240.20107 *cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.14393.6167 *cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.17763.4737 *cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.19044.3324 *cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.19044.3324 *cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.22000.2295 *cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.22621.2134 *cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.14393.6167 *cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.6614:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.17763.4737 *cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.20348.1903
  • CVE Modified by [email protected]

    May. 29, 2024

    Action Type Old Value New Value
    Added CWE Microsoft Corporation CWE-362
  • CVE Modified by [email protected]

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Modified by [email protected]

    Aug. 08, 2023

    Action Type Old Value New Value
    Changed Description Windows Search Security Feature Bypass Vulnerability Windows Search Remote Code Execution Vulnerability
    Removed CVSS V3.1 Microsoft Corporation AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
    Added CVSS V3.1 Microsoft Corporation AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE Modified by [email protected]

    Aug. 08, 2023

    Action Type Old Value New Value
    Changed Description Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Please see the Microsoft Threat Intelligence Blog Entry https://aka.ms/Storm-0978 for important information about steps you can take to protect your system from this vulnerability. This CVE will be updated with new information and links to security updates when they become available. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this CVE. See Microsoft Technical Security Notifications https://www.microsoft.com/en-us/msrc/technical-security-notifications . Windows Search Security Feature Bypass Vulnerability
    Removed CVSS V3.1 Microsoft Corporation AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    Added CVSS V3.1 Microsoft Corporation AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE Modified by [email protected]

    Aug. 01, 2023

    Action Type Old Value New Value
    Changed Description Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Please see the Microsoft Threat Intelligence Blog https://aka.ms/Storm-0978  Entry for important information about steps you can take to protect your system from this vulnerability. This CVE will be updated with new information and links to security updates when they become available. Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Please see the Microsoft Threat Intelligence Blog Entry https://aka.ms/Storm-0978 for important information about steps you can take to protect your system from this vulnerability. This CVE will be updated with new information and links to security updates when they become available. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this CVE. See Microsoft Technical Security Notifications https://www.microsoft.com/en-us/msrc/technical-security-notifications .
  • CVE Modified by [email protected]

    Jul. 31, 2023

    Action Type Old Value New Value
    Removed CVSS V3.1 Microsoft Corporation AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N
    Added CVSS V3.1 Microsoft Corporation AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    Removed CVSS V3.1 Reason AC-No Race Condition
    Removed CVSS V3.1 Reason AV-Lack of information
    Removed CVSS V3.1 Reason I-No limiting factors
    Removed CVSS V3.1 Reason A-No limiting factors
    Removed CVSS V3.1 Reason C-No limiting factors
    Removed CVSS V3.1 Reason PR-No privileges needed
  • Reanalysis by [email protected]

    Jul. 31, 2023

    Action Type Old Value New Value
    Changed Reference Type http://seclists.org/fulldisclosure/2023/Jul/43 Broken Link http://seclists.org/fulldisclosure/2023/Jul/43 Broken Link, Mailing List, Third Party Advisory
  • Modified Analysis by [email protected]

    Jul. 28, 2023

    Action Type Old Value New Value
    Changed Reference Type http://seclists.org/fulldisclosure/2023/Jul/43 No Types Assigned http://seclists.org/fulldisclosure/2023/Jul/43 Broken Link
  • CVE Modified by [email protected]

    Jul. 26, 2023

    Action Type Old Value New Value
    Added Reference http://seclists.org/fulldisclosure/2023/Jul/43 [No Types Assigned]
  • Initial Analysis by [email protected]

    Jul. 17, 2023

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    Changed Reference Type https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 No Types Assigned https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 Patch, Vendor Advisory
    Added CWE NIST NVD-CWE-noinfo
    Added CPE Configuration OR *cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:* *cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:* *cpe:2.3:a:microsoft:office:2021:*:*:*:ltsc:*:x64:* *cpe:2.3:a:microsoft:office:2021:*:*:*:ltsc:*:x86:* *cpe:2.3:a:microsoft:word:2013:sp1:*:*:*:*:*:* *cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_11:22h2:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_11:22h2:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2023-36884 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2023-36884 weaknesses.

Exploit Prediction

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.

6.88 }} -0.42%

score

0.94067

percentile

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability