CVE-2023-36884
Microsoft Windows Search Remote Code Execution Vul - [Actively Exploited]
Description
Windows Search Remote Code Execution Vulnerability
INFO
Published Date :
July 11, 2023, 7:15 p.m.
Last Modified :
Nov. 21, 2024, 8:10 a.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
5.9
Exploitability Score :
1.6
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Microsoft Windows Search contains an unspecified vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a specially crafted malicious file, leading to remote code execution.
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884; https://nvd.nist.gov/vuln/detail/CVE-2023-36884
Public PoC/Exploit Available at Github
CVE-2023-36884 has a 17 public PoC/Exploit
available at Github.
Go to the Public Exploits
tab to see the list.
Affected Products
The following products are affected by CVE-2023-36884
vulnerability.
Even if cvefeed.io
is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2023-36884
.
URL | Resource |
---|---|
http://seclists.org/fulldisclosure/2023/Jul/43 | Broken Link Mailing List Third Party Advisory |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 | Patch Vendor Advisory |
http://seclists.org/fulldisclosure/2023/Jul/43 | Broken Link Mailing List Third Party Advisory |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 | Patch Vendor Advisory |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
A wildly opinionated Python 3 library for working with the CISA Known Exploited Vulnerabilities (KEV) catalog
Python Makefile
MS Office and Windows HTML RCE (CVE-2023-36884) - PoC and exploit
Python
#comeonits2023 #ie9 #Storm-0978
None
PowerShell
PowerShell Script for initial mitigation of vulnerability
CVE-2023-36884 临时补丁
C#
Script to check for CVE-2023-36884 hardening
cybersecurity hardening microsoft powershell security windows cve-2023-36884
PowerShell
This is an emergency solution while Microsoft addresses the vulnerability.
C#
Recent Campaign abusing CVE-2023-36884
The remediation script should set the reg entries described in https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 . The detection script checks if they exist. Provided AS-IS without any warrenty.
PowerShell
A home for detection content developed by the delivr.to team
YARA
A collection of Message Filters for Cisco Secure Email Gateway (fka Email Security Appliance) focused on document-based threats.
None
Python HTML
Free and libre source BadUSB payloads for Flipper Zero. [Windows, GNU/Linux, iOS]
flipper-zero flipperzero flipper-badusb flipper-zero-payload hak5 rubberducky badusb duckyscript linux open-source windows free badusb-payloads free-payloads ios iphone
PowerShell Python Shell HTML JavaScript TeX
Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.
cisa-kev vulnerability 0day cisa exploits
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2023-36884
vulnerability anywhere in the article.
- The Register
Interpol nabs thousands, seizes millions in global cybercrime-busting op
Infosec in brief Interpol and its financial supporters in the South Korean government are back with another round of anti-cybercrime arrests via the fifth iteration of Operation HAECHI, this time nabb ... Read more
- BleepingComputer
Firefox and Windows zero-days exploited by Russian RomCom hackers
Russian-based RomCom cybercrime group chained two zero-day vulnerabilities in recent attacks targeting Firefox and Tor Browser users across Europe and North America. The first flaw (CVE-2024-9680) is ... Read more
- The Hacker News
RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks
Vulnerability / Cybercrime The Russia-aligned threat actor known as RomCom has been linked to the zero-day exploitation of two security flaws, one in Mozilla Firefox and the other in Microsoft Windows ... Read more
- Help Net Security
RomCom hackers chained Firefox and Windows zero-days to deliver backdoor
Russia-aligned APT group RomCom was behind attacks that leveraged CVE-2024-9680, a remote code execution flaw in Firefox, and CVE-2024-49039, an elevation of privilege vulnerability in Windows Task Sc ... Read more
- Cybersecurity News
RomCom Group’s Underground Ransomware Exploits Microsoft Zero-Day Flaw
The data leak site for Underground ransomwareFortiGuard Labs found a new ransomware variant, Underground, that has been linked to the Russia-based RomCom group (also known as Storm-0978). This insidio ... Read more
- Kaspersky
Exploits and vulnerabilities in Q2 2024
Q2 2024 was eventful in terms of new interesting vulnerabilities and exploitation techniques for applications and operating systems. Attacks through vulnerable drivers have become prevalent as a gener ... Read more
- 0patch.com
Micropatches Released For Windows Search Remote Code Execution (CVE-2023-36884)
Alongside July 2023 Windows Updates, Microsoft revealed the existence of a 0day that was detected in the wild and assigned it CVE-2023-36884. Without issuing a patch, they titled their original adviso ... Read more
The following table lists the changes that have been made to the
CVE-2023-36884
vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference http://seclists.org/fulldisclosure/2023/Jul/43 Added Reference https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 -
Modified Analysis by [email protected]
Jun. 27, 2024
Action Type Old Value New Value Removed CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Added CVSS V3.1 NIST AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Removed CWE NIST NVD-CWE-noinfo Added CWE NIST CWE-362 Removed CPE Configuration OR *cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:* *cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:* *cpe:2.3:a:microsoft:office:2021:*:*:*:ltsc:*:x64:* *cpe:2.3:a:microsoft:office:2021:*:*:*:ltsc:*:x86:* *cpe:2.3:a:microsoft:word:2013:sp1:*:*:*:*:*:* *cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_11:22h2:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_11:22h2:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:* Added CPE Configuration OR *cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.10240.20107 *cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.14393.6167 *cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.17763.4737 *cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.19044.3324 *cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.19044.3324 *cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.22000.2295 *cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.22621.2134 *cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.14393.6167 *cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.6614:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.17763.4737 *cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.20348.1903 -
CVE Modified by [email protected]
May. 29, 2024
Action Type Old Value New Value Added CWE Microsoft Corporation CWE-362 -
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
CVE Modified by [email protected]
Aug. 08, 2023
Action Type Old Value New Value Changed Description Windows Search Security Feature Bypass Vulnerability Windows Search Remote Code Execution Vulnerability Removed CVSS V3.1 Microsoft Corporation AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Added CVSS V3.1 Microsoft Corporation AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H -
CVE Modified by [email protected]
Aug. 08, 2023
Action Type Old Value New Value Changed Description Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Please see the Microsoft Threat Intelligence Blog Entry https://aka.ms/Storm-0978 for important information about steps you can take to protect your system from this vulnerability. This CVE will be updated with new information and links to security updates when they become available. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this CVE. See Microsoft Technical Security Notifications https://www.microsoft.com/en-us/msrc/technical-security-notifications . Windows Search Security Feature Bypass Vulnerability Removed CVSS V3.1 Microsoft Corporation AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Added CVSS V3.1 Microsoft Corporation AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N -
CVE Modified by [email protected]
Aug. 01, 2023
Action Type Old Value New Value Changed Description Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Please see the Microsoft Threat Intelligence Blog https://aka.ms/Storm-0978 Entry for important information about steps you can take to protect your system from this vulnerability. This CVE will be updated with new information and links to security updates when they become available. Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Please see the Microsoft Threat Intelligence Blog Entry https://aka.ms/Storm-0978 for important information about steps you can take to protect your system from this vulnerability. This CVE will be updated with new information and links to security updates when they become available. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this CVE. See Microsoft Technical Security Notifications https://www.microsoft.com/en-us/msrc/technical-security-notifications . -
CVE Modified by [email protected]
Jul. 31, 2023
Action Type Old Value New Value Removed CVSS V3.1 Microsoft Corporation AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N Added CVSS V3.1 Microsoft Corporation AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Removed CVSS V3.1 Reason AC-No Race Condition Removed CVSS V3.1 Reason AV-Lack of information Removed CVSS V3.1 Reason I-No limiting factors Removed CVSS V3.1 Reason A-No limiting factors Removed CVSS V3.1 Reason C-No limiting factors Removed CVSS V3.1 Reason PR-No privileges needed -
Reanalysis by [email protected]
Jul. 31, 2023
Action Type Old Value New Value Changed Reference Type http://seclists.org/fulldisclosure/2023/Jul/43 Broken Link http://seclists.org/fulldisclosure/2023/Jul/43 Broken Link, Mailing List, Third Party Advisory -
Modified Analysis by [email protected]
Jul. 28, 2023
Action Type Old Value New Value Changed Reference Type http://seclists.org/fulldisclosure/2023/Jul/43 No Types Assigned http://seclists.org/fulldisclosure/2023/Jul/43 Broken Link -
CVE Modified by [email protected]
Jul. 26, 2023
Action Type Old Value New Value Added Reference http://seclists.org/fulldisclosure/2023/Jul/43 [No Types Assigned] -
Initial Analysis by [email protected]
Jul. 17, 2023
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Changed Reference Type https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 No Types Assigned https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 Patch, Vendor Advisory Added CWE NIST NVD-CWE-noinfo Added CPE Configuration OR *cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:* *cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:* *cpe:2.3:a:microsoft:office:2021:*:*:*:ltsc:*:x64:* *cpe:2.3:a:microsoft:office:2021:*:*:*:ltsc:*:x86:* *cpe:2.3:a:microsoft:word:2013:sp1:*:*:*:*:*:* *cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x86:* *cpe:2.3:o:microsoft:windows_11:22h2:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_11:22h2:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:arm64:* *cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:* *cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2023-36884
is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2023-36884
weaknesses.
Exploit Prediction
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.
28.77 }} 22.23%
score
0.96863
percentile