Elevation of Privilege Vulnerability Affects Microsoft Outlook

CVE-2023-23397

9.8CRITICAL

Key Information

Vendor
Microsoft
Status
Microsoft Office Ltsc 2021
Microsoft Outlook 2016
Microsoft 365 Apps For Enterprise
Microsoft Office 2019
Vendor
CVE Published:
14 March 2023

Badges

👾 Exploit Exists🔴 Public PoC🟡 EPSS 87%📰 News Worthy

Summary

A critical elevation of privilege vulnerability, CVE-2023-23397, has been found to affect Microsoft Outlook, with a potential impact of an attacker gaining access to a user's Net-NTLMv2 hash. The vulnerability can be exploited remotely by sending a malicious Outlook object containing a UNC path to an SMB share on a threat actor-controlled server. New samples submitted to VirusTotal indicate that unknown attackers have been exploiting this vulnerability, and Microsoft has confirmed that the exploit bypasses security features. The attacks are utilizing phishing and social engineering techniques to target Windows OS users, posing a risk of remote code execution, security feature bypass, and privilege escalation. It is urged that organizations using Microsoft Outlook update to a patched version to mitigate the risk.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-23397 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply updates per vendor instructions.

Affected Version(s)

Microsoft Office LTSC 2021 < 16.0.1

Microsoft Outlook 2016 < 16.0.5387.1000

Microsoft 365 Apps for Enterprise < 16.0.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-23397-POC-Powershell
Created by api0cradle

CVE-2023-23397_EXPLOIT_0DAY
Created by sqrtZeroKnowledge

CVE-2023-23397
Created by Trackflaw

News Articles

favicon image

Microsoft NTLM Zero-Day to Remain Unpatched Until April

The second zero-day vulnerability found in Windows NTLM in the past two months paves the way for relay attacks and credential theft. Microsoft has no patch, but released updated NTLM cyberattack mitigation advice.

2 weeks ago

favicon imageHelp Net Security

Microsoft patches zero-days used by state-sponsored and ransomware threat actors (CVE-2023-23397, CVE-2023-24880) - Help Net Security

For March 2023 Patch Tuesday Microsoft has fixed 2 vulnerabilities actively exploited in the wild (CVE-2023-23397, CVE-2023-24880).

4 months ago

favicon imageSC Media

Czechia, Germany targeted by long-term APT28 cyberespionage campaign

Attacks leveraging the critical Microsoft Outlook privilege escalation vulnerability, tracked as CVE-2023-23397, have been launched by Russian state-sponsored threat operation APT28 — also known as Forest Blizzard, BlueDelta, Fancy Bear, and TA422 — against the Czech Republic and Germany as part of ...

7 months ago

Refferences

https://msrc.microsoft.com/update-guide/vulnerability/CVE...
vendor-advisory

EPSS Score

87% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🔴

    Public PoC available

  • 😈

    Used in Ransomware

  • First article discovered by SecurityWeek

  • 👾

    Exploit known to exist

  • CISA Reported

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre DatabaseCISA Database21 Proof of Concept(s)37 News Article(s)
.