Report Name: Microsoft Patch Tuesday, May 2023Generated: 2023-05-27 03:08:17
| Product Name | Prevalence | U | C | H | M | L | Comment |
|---|---|---|---|---|---|---|---|
| Windows SMB | 1 | 1 | Windows component | ||||
| Remote Procedure Call Runtime | 0.9 | 1 | Remote Procedure Call Runtime | ||||
| Windows Kernel | 0.9 | 1 | Windows Kernel | ||||
| Windows NTLM | 0.9 | 1 | A suite of security protocols to authenticate users' identity and protect the integrity and confidentiality of their activity | ||||
| Windows Win32k | 0.9 | 1 | 1 | Windows kernel-mode driver | |||
| Microsoft Defender | 0.8 | 1 | Anti-malware component of Microsoft Windows | ||||
| Microsoft Edge | 0.8 | 1 | 1 | 7 | 9 | Web browser | |
| Microsoft Remote Desktop app for Windows | 0.8 | 1 | Windows component | ||||
| Secure Boot | 0.8 | 1 | Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM) | ||||
| Server for NFS | 0.8 | 1 | Windows component | ||||
| SysInternals Sysmon for Windows | 0.8 | 1 | Windows component | ||||
| Windows Backup Service | 0.8 | 1 | Windows component | ||||
| Windows Bluetooth Driver | 0.8 | 1 | 2 | Windows component | |||
| Windows Driver Revocation List | 0.8 | 1 | Windows component | ||||
| Windows Graphics Component | 0.8 | 1 | Windows component | ||||
| Windows Installer | 0.8 | 1 | Windows component | ||||
| Windows Lightweight Directory Access Protocol (LDAP) | 0.8 | 1 | Windows component | ||||
| Windows MSHTML Platform | 0.8 | 1 | Windows component | ||||
| Windows NFS Portmapper | 0.8 | 1 | Windows component | ||||
| Windows Network File System | 0.8 | 1 | Windows component | ||||
| Windows OLE | 0.8 | 1 | Windows component | ||||
| Windows Pragmatic General Multicast (PGM) | 0.8 | 1 | 1 | Windows component | |||
| Windows Remote Desktop Client | 0.8 | 1 | Remote Desktop Protocol Client | ||||
| Windows Secure Socket Tunneling Protocol (SSTP) | 0.8 | 1 | Windows component | ||||
| Windows iSCSI Target Service | 0.8 | 1 | Windows component | ||||
| Microsoft SharePoint | 0.7 | 1 | 2 | Microsoft SharePoint | |||
| Microsoft Access | 0.6 | 1 | MS Office product | ||||
| Microsoft Excel | 0.6 | 1 | MS Office product | ||||
| Microsoft Office | 0.6 | 1 | Microsoft Office | ||||
| Microsoft Word | 0.6 | 1 | MS Office product | ||||
| Teams | 0.6 | 1 | MS Office product | ||||
| AV1 Video Extension | 0.5 | 2 | AV1 Video Extension | ||||
| Visual Studio Code | 0.3 | 1 | Integrated development environment |
| Vulnerability Type | Criticality | U | C | H | M | L | Comment |
|---|---|---|---|---|---|---|---|
| Remote Code Execution | 1.0 | 11 | 1 | Remote Code Execution | |||
| Security Feature Bypass | 0.9 | 1 | 6 | 2 | Security Feature Bypass | ||
| Denial of Service | 0.7 | 2 | 3 | Denial of Service | |||
| Memory Corruption | 0.6 | 1 | 1 | 4 | Memory Corruption | ||
| Elevation of Privilege | 0.5 | 1 | 8 | Elevation of Privilege | |||
| Information Disclosure | 0.4 | 8 | Information Disclosure | ||||
| Spoofing | 0.4 | 3 | Spoofing | ||||
| Unknown Vulnerability Type | 0 | 5 | Unknown Vulnerability Type |
1. 
Memory Corruption - Microsoft Edge (CVE-2023-2033) - Urgent [859]
Description: Chromium: CVE-2023-2033
| Component | Value | Weight | Comment |
|---|---|---|---|
| 1.0 | 18 | Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB websites | |
| 1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners website (Exploit for Type Confusion in Google Chrome) | |
| 0.6 | 15 | Memory Corruption | |
| 0.8 | 14 | Web browser | |
| 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source | |
| 0.8 | 10 | EPSS Probability is 0.00983, EPSS Percentile is 0.81276 |
MS PT Extended: CVE-2023-2033 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
2. 
Security Feature Bypass - Secure Boot (CVE-2023-24932) - Critical [736]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 1.0 | 18 | Exploitation in the wild is mentioned on AttackerKB, Microsoft websites | |
| 0.6 | 17 | The exploit's existence is mentioned in Microsoft CVSS Temporal Score (Functional Exploit) | |
| 0.9 | 15 | Security Feature Bypass | |
| 0.8 | 14 | Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM) | |
| 0.7 | 10 | CVSS Base Score is 6.7. According to Microsoft data source | |
| 0.2 | 10 | EPSS Probability is 0.00052, EPSS Percentile is 0.1805 |
qualys: CVE-2023-24932: Secure Boot Security Feature Bypass Vulnerability Secure Boot is a crucial security feature that helps prevent malicious software from loading while the computer boots. This security standard maintains computers’ safety by ensuring that the device boots only using trusted software provided by the Original Equipment Manufacturer (OEM). An attacker with physical access or administrative permissions to a target device may exploit this vulnerability to install an affected boot policy. On successful exploitation, an attacker can bypass the Secure Boot.
qualys: CVE-2023-24932: Secure Boot Security Feature Bypass Vulnerability This vulnerability has a CVSSv3.1 score of 6.7/10. This CVE needs a patch as well as post patch config change. Steps for revocations:1. Apply both revocations from the script. 2. Restart the asset. 3. Verify the installation and revocation list from the script. 4. Wait for Five mins and then restart again. Important: An additional restart is required to fully initialize the revocation protections. Caution: Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device. Even reformatting of the disk will not remove the revocations if they have already been applied. Please be aware of all the possible implications and test thoroughly before applying the revocations that are outlined in this article to your device.
tenable: CVE-2023-24932 | Secure Boot Security Feature Bypass Vulnerability
tenable: CVE-2023-24932 is a security feature bypass vulnerability in Secure Boot in Windows operating systems, which allows for running of untrusted software during the boot up process. It was publicly disclosed and exploited in the wild as a zero-day prior to a patch being available. The flaw was given a CVSSv3 score of 6.7. Exploitation of this vulnerability requires an attacker to have administrative rights or physical access to the vulnerable device, so Microsoft has rated this as “Exploitation Less Likely” according to Microsoft’s Exploitability Index.
tenable: According to the advisory, additional steps must be taken to mitigate this vulnerability. These steps are outlined in KB5025885 which specifies that the May 9, 2023 Windows security updates must be installed first. The KB article notes that this update and the associated mitigation steps are necessary due to the publicly disclosed bypass being used by the BlackLotus UEFI bootkit. More information can be found in a blog post by ESET who are also credited with disclosing CVE-2023-24932 to Microsoft alongside Tomer Sne-or with SentinelOne.
tenable: CVE-2023-24932 is the fourth security feature bypass vulnerability disclosed in 2023 in either Windows Boot Manager or Secure Boot. In April’s Patch Tuesday release, Microsoft addressed CVE-2023-28269 and CVE-2023-28249, and in January’s Patch Tuesday release, Microsoft addressed CVE-2023-21560.
rapid7: First up: a zero-day Secure Boot Security Feature Bypass vulnerability which is actively exploited by the BlackLotus bootkit malware. Microsoft warns that an attacker who already has Administrator access to an unpatched asset could exploit CVE-2023-24932 without necessarily having physical access. The relatively low CVSSv3 base score of 6.7 isn’t necessarily a reliable metric in this case.
rapid7: Administrators should be aware that additional actions are required for remediation of CVE-2023-24932 beyond simply applying the patches. The patch enables the configuration options necessary for protection, but administrators must apply changes to UEFI config after patching. Attack surface is not limited to physical assets, either; Windows assets running on some VMs, including Azure assets with Secure Boot enabled, also require these extra remediation steps for protection. Rapid7 has noted in the past that enabling Secure Boot is a foundational protection against driver-based attacks. Defenders ignore this vulnerability at their peril.
3. Memory Corruption - Microsoft Edge (CVE-2023-2136) - Critical [657]
Description: Chromium: CVE-2023-2136
| Component | Value | Weight | Comment |
|---|---|---|---|
| 1.0 | 18 | Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.6 | 15 | Memory Corruption | |
| 0.8 | 14 | Web browser | |
| 1.0 | 10 | CVSS Base Score is 9.6. According to NVD data source | |
| 0.7 | 10 | EPSS Probability is 0.00549, EPSS Percentile is 0.74176 |
MS PT Extended: CVE-2023-2136 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
4. 
Remote Code Execution - Windows OLE (CVE-2023-29325) - High [583]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0.4 | 17 | The exploit's existence is mentioned in Microsoft CVSS Temporal Score (Proof-of-Concept Exploit) | |
| 1.0 | 15 | Remote Code Execution | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 8.1. According to Microsoft data source | |
| 0.8 | 10 | EPSS Probability is 0.00609, EPSS Percentile is 0.75528 |
qualys: CVE-2023-29325: Windows OLE Remote Code Execution Vulnerability OLE (Object Linking and Embedding) is a mechanism to help users create and edit documents containing “objects” made by multiple applications. Sound clips, spreadsheets, and bitmaps are examples of OLE document components. There are two prerequisites for the exploitation of this vulnerability: Winning a race condition Taking additional actions before exploitation to prepare the target environment. An attacker could exploit this vulnerability in an email attack by sending a specially crafted email. A user may be tricked into opening a specifically crafted email using an affected version of Microsoft Outlook, or a victim’s Outlook application could preview a specially crafted email. As a result, an attacker may perform remote code execution on the victim’s computer.
qualys: CVE-2023-29325: Windows OLE Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 8.1 / 7.3. Policy Compliance Control IDs (CIDs): 13818 Status of the ‘Read e-mail as plain text‘ group policy setting 13815 Status of the ‘Read signed e-mail as plain text‘ group policy setting
tenable: CVE-2023-29325 | Windows OLE Remote Code Execution Vulnerability
tenable: CVE-2023-29325 is a RCE in the Windows Object Linking and Embedding (OLE) mechanism of Windows operating systems that was publicly disclosed and given a CVSSv3 score of 8.1. Windows OLE is a technology that allows the creation of documents that contain objects from several applications. The vulnerability lies in the processing of RTF documents and emails. Microsoft said that the Preview Pane feature in Microsoft Outlook and Office is a vector for exploitation. An unauthenticated, remote attacker can exploit this vulnerability by sending a specially crafted document to a vulnerable system. However, the vulnerability has been given a high complexity as successful exploitation requires the attacker to win a race condition and the target to be prepared for exploitation.
zdi: CVE-2023-29325 – Windows OLE Remote Code Execution Vulnerability. While the title says OLE, when it comes to this bug, the real component to worry about is Outlook. This vulnerability allows an attacker to execute their code on an affected system by sending a specially crafted RTF e-mail. The Preview Pane is an attack vector, so a target doesn’t even need to read the crafted message. And while Outlook is the more likely exploit vector, other Office applications are also impacted. This is one of the publicly known bugs patched this month and has been widely discussed on Twitter. Although Microsoft offers some workarounds, it’s a better idea to test and deploy this update quickly.
5. 
Elevation of Privilege - Windows Win32k (CVE-2023-29336) - High [572]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 1.0 | 18 | Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB, Microsoft websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.5 | 15 | Elevation of Privilege | |
| 0.9 | 14 | Windows kernel-mode driver | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0.2 | 10 | EPSS Probability is 0.00051, EPSS Percentile is 0.17685 |
qualys: CVE-2023-29336: Win32k Elevation of Privilege Vulnerability The vulnerability exists in Win32k, a Windows Core Library, and is known to be exploited in the wild. An attacker with local access may exploit this vulnerability in a low-complexity attack without needing any privileges. An attacker could gain SYSTEM privileges on the affected system after successful exploitation. CISA has added the CVE-2023-29336 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before May 30, 2023.
tenable: Microsoft’s May 2023 Patch Tuesday Addresses 38 CVEs (CVE-2023-29336)
tenable: CVE-2023-29336 | Win32k Elevation of Privilege Vulnerability
tenable: CVE-2023-29336 is an EoP vulnerability in Microsoft’s Win32k, a core kernel-side driver used in Windows. This vulnerability received a CVSSv3 score of 7.8 and was exploited in the wild as a zero-day. Exploitation of this vulnerability would allow an attacker to gain SYSTEM level privileges on an affected host. Over the last few years, we have seen multiple Win32k EoP zero days exploited in the wild. In the January 2022 Patch Tuesday release, Microsoft patched CVE-2022-21882. CVE-2022-21882 was reportedly a patch bypass for CVE-2021-1732, another Win32k EoP zero day vulnerability from February 2021. In October 2021, Microsoft patched CVE-2021-40449, another Win32k EoP zero day linked to a remote access trojan known as MysterySnail and was reportedly a patch bypass for CVE-2016-3309. It is unclear if CVE-2023-29336 is also a patch bypass.
rapid7: The second of this month’s zero-day trio is an RCE vulnerability targeting Outlook users, as well as Windows Explorer. The vulnerability is in the proprietary Microsoft Object Linking and Embedding (OLE) layer, which allows embedding and linking to documents and other objects, and the Microsoft bulletin for CVE-2023-29336 suggests that the attack is likely conducted via a specially-crafted Rich Text File (RTF). All current versions of Windows are vulnerable, and viewing the malicious file via the Preview pane is one route to exploitation; however, successful exploitation requires an attacker to win a race condition and to otherwise prepare the target environment. This should significantly reduce the real-world impact of this vulnerability. Mitigations include disabling the Preview Pane, as well as configuring Outlook to read all emails in plain text mode. Microsoft is not aware of public disclosure, but has detected in-the-wild exploitation.
zdi: CVE-2023-29336 – Win32k Elevation of Privilege Vulnerability. This is the one bug listed as being under active attack at the time of release, and you must go all the way back to May of last year before you find a month where there wasn’t at least one Microsoft bug under active attack. This type of privilege escalation is usually combined with a code execution bug to spread malware. Considering this was reported by an AV company, that seems the likely scenario here. As always, Microsoft offers no information about how widespread these attacks may be.
6. Remote Code Execution - Windows Network File System (CVE-2023-24941) - High [550]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 1.0 | 15 | Remote Code Execution | |
| 0.8 | 14 | Windows component | |
| 1.0 | 10 | CVSS Base Score is 9.8. According to Microsoft data source | |
| 1.0 | 10 | EPSS Probability is 0.784, EPSS Percentile is 0.97744 |
qualys: CVE-2023-24941: Windows Network File System Remote Code Execution Vulnerability Network File System (NFS) offers a file-sharing solution for enterprises with heterogeneous environments, including Windows and non-Windows computers. The NFS protocol helps transfer files between Windows computers, Linux or UNIX. The vulnerability affects the NFSV4. A local attacker with network access can exploit this vulnerability by making an unauthenticated, specially crafted call to a Network File System (NFS) service that triggers remote code execution.
qualys: CVE-2023-24941: Windows Network File System Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 9.8 / 8.5. Policy Compliance Control IDs (CIDs): 24139 Status of the Windows Network File System (NFSV4) service
qualys: CVE-2023-24941: Windows Network File System Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10.
tenable: CVE-2023-24941 | Windows Network File System Remote Code Execution Vulnerability
tenable: CVE-2023-24941 is a critical RCE vulnerability affecting supported versions of Windows Server that was given a CVSSv3 score of 9.8. The affected component is the Network File System (NFS) service, which is used for file sharing between Unix and Windows Server systems. Specifically the vulnerability affects NFSV4.1, but not NFSV2.0 or NFSV3.0. CVE-2023-24941 can be exploited by a remote, unauthenticated attacker sending a malicious call to a vulnerable server.
rapid7: Although Microsoft is not aware of public disclosure or in-the-wild exploitation, Network File System (NFS) RCE vulnerability CVE-2023-24941 is a network attack with low complexity affecting Windows assets running NFS v4.1. As a mitigation prior to patching, Microsoft recommends disabling NFSv4.1 and then re-enabling it once the patch is applied, although this may impact functionality. OIder versions of NFS (NFSv3 and NFSv2) are not affected by this vulnerability. Microsoft warns that assets which haven’t been patched for over a year would be vulnerable to CVE-2022-26937 which is a Critical vulnerability in NFSV2.0 and NFSV3.0. In other words: applying today’s mitigation to an asset missing the May 2022 patches would effectively cause a downgrade attack.
zdi: CVE-2023-24941 – Windows Network File System Remote Code Execution Vulnerability. This bug has been given a CVSS of 9.8 and allows a remote, unauthenticated attacker to run arbitrary code on an affected system with elevated privileges. No user interaction is required. Another interesting thing about this vulnerability is that exists in NFS version 4.1 but not versions NFSv2.0 or NFSv3.0. You can mitigate this bug by downgrading to a previous version, but Microsoft warns that you should not use this mitigation unless you have the CVE-2022-26937 patch from May 2022 installed. The better idea is to test and deploy this month’s fix instead.
7. Remote Code Execution - Windows Pragmatic General Multicast (PGM) (CVE-2023-24943) - High [526]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 1.0 | 15 | Remote Code Execution | |
| 0.8 | 14 | Windows component | |
| 1.0 | 10 | CVSS Base Score is 9.8. According to Microsoft data source | |
| 0.8 | 10 | EPSS Probability is 0.01074, EPSS Percentile is 0.82132 |
qualys: CVE-2023-24943: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Pragmatic General Multicast (PGM) is a multicast computer network transport protocol appropriate for multi-receiver file transfer applications. PGM provides a reliable sequence of packets to multiple recipients simultaneously. Only PGM Server is vulnerable to this flaw. When the Windows Message Queuing service runs in a PGM Server environment, an attacker may send a specially crafted file over the network to achieve remote code execution and trigger malicious code.
qualys: CVE-2023-24943: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 9.8 / 8.5. Policy Compliance Control IDs (CIDs): 4030 Status of the ‘Windows Message Queuing Service‘ The following QQL will return a posture assessment for the CIDs for this Patch Tuesday: control.id: [13818, 13815, 24139, 4030]
rapid7: CVE-2023-24943 describes a vulnerability in Windows Pragmatic General Multicast (PGM), and is a concern only for assets running Windows Message Queuing Service (MSQS) in a PGM environment. Microsoft recommends newer alternatives to PGM in the advisory. A further two critical RCE for MSQS were patched last month, and the continued flow of vulnerabilities suggests that MSQS will continue to be an area of interest for security researchers. Although MSQS is not installed by default, some software, including some versions of Microsoft Exchange Server, will helpfully enable it as part of their own installation routine.
8. Remote Code Execution - Windows Lightweight Directory Access Protocol (LDAP) (CVE-2023-28283) - High [502]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 1.0 | 15 | Remote Code Execution | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 8.1. According to Microsoft data source | |
| 0.8 | 10 | EPSS Probability is 0.00641, EPSS Percentile is 0.76213 |
qualys: CVE-2023-28283: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability The Lightweight Directory Access Protocol (LDAP) operates a layer above the TCP/IP stack. The directory service protocol helps connect, browse, and edit online directories. The LDAP directory service is based on a client-server model that enables access to an existing directory. LDAP stores data in the LDAP directory and authenticates users to access the directory. An unauthenticated attacker must win a race condition to exploit this vulnerability. On successful exploitation, an attacker could perform remote code execution within the context of the LDAP service with the help of a specially crafted set of LDAP requests.
rapid7: The final Critical RCE this month is CVE-2023-28283, which is also a high-complexity network-vector attack involving a race condition. In this case, the attack is conducted via a specially-crafted set of LDAP calls.
9. Remote Code Execution - Windows Secure Socket Tunneling Protocol (SSTP) (CVE-2023-24903) - High [490]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 1.0 | 15 | Remote Code Execution | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 8.1. According to Microsoft data source | |
| 0.7 | 10 | EPSS Probability is 0.00411, EPSS Percentile is 0.70149 |
qualys: CVE-2023-24903: Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability Secure Socket Tunneling Protocol (SSTP) is a type of virtual private network (VPN) tunnel. The protocol helps to transport PPP traffic through an SSL/TLS channel. SSL/TLS provides transport-level security with encryption and traffic integrity checking. An attacker must win a race condition to exploit this vulnerability. To exploit this vulnerability, an attacker may send a specially crafted malicious SSTP packet to an SSTP server. On successful exploitation, the attacker may perform remote code execution on the server side.
rapid7: Long-standing Patch Tuesday entrant Windows Secure Socket Tunneling Protocol (SSTP) provides CVE-2023-24903 this month, which is a critical RCE involving sending a specially crafted SSTP packet to an SSTP server and winning a race condition. This qualifies as high attack complexity, and Microsoft considers exploitation less likely.
10. Security Feature Bypass - Microsoft Defender (CVE-2023-24934) - High [482]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0.4 | 17 | The exploit's existence is mentioned in Microsoft CVSS Temporal Score (Proof-of-Concept Exploit) | |
| 0.9 | 15 | Security Feature Bypass | |
| 0.8 | 14 | Anti-malware component of Microsoft Windows | |
| 0.6 | 10 | CVSS Base Score is 6.2. According to Microsoft data source | |
| 0.3 | 10 | EPSS Probability is 0.00079, EPSS Percentile is 0.3257 |
MS PT Extended: CVE-2023-24934 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
11. Remote Code Execution - Windows Bluetooth Driver (CVE-2023-24947) - High [466]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 1.0 | 15 | Remote Code Execution | |
| 0.8 | 14 | Windows component | |
| 0.9 | 10 | CVSS Base Score is 8.8. According to Microsoft data source | |
| 0.4 | 10 | EPSS Probability is 0.00113, EPSS Percentile is 0.43632 |
12. Remote Code Execution - Windows Remote Desktop Client (CVE-2023-24905) - High [454]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 1.0 | 15 | Remote Code Execution | |
| 0.8 | 14 | Remote Desktop Protocol Client | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0.4 | 10 | EPSS Probability is 0.00113, EPSS Percentile is 0.43632 |
rapid7: “Windows Remote Desktop” and “Remote Code Execution” can be a very potent combination, as defenders who remember the BlueKeep vulnerability are acutely aware. However, while CVE-2023-24905 is interesting, it is an altogether different and less threatening animal. Opening a specially-crafted malicious .rdp file on an unpatched asset can now lead to code execution in the context of the client, although the user must open the file locally – but the .rdp file could be hosted remotely on a file share.
13. Remote Code Execution - Microsoft SharePoint (CVE-2023-24955) - High [438]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 1.0 | 15 | Remote Code Execution | |
| 0.7 | 14 | Microsoft SharePoint | |
| 0.7 | 10 | CVSS Base Score is 7.2. According to Microsoft data source | |
| 0.5 | 10 | EPSS Probability is 0.00189, EPSS Percentile is 0.54989 |
qualys: CVE-2023-24955: Microsoft SharePoint Server Remote Code Execution Vulnerability Microsoft SharePoint is a web-based document management and collaboration platform that strengthens teamwork. The application helps in sharing files, data, news, and resources. An attacker is required to authenticate as a Site Owner to exploit this vulnerability. The vulnerability will allow an attacker to perform remote code execution on the SharePoint Server.
rapid7: Another candidate for inclusion in an exploit chain is SharePoint Critical RCE CVE-2023-24955, which requires the attacker to authenticate as Site Owner to run code on the SharePoint Server host. Microsoft assesses this one as Exploitation More Likely, due in part to the low attack complexity. SharePoint Server 2016, 2019, and Subscription Edition are all vulnerable until patched. Anyone still running SharePoint Server 2013 should upgrade immediately, as May 2023 is the first Patch Tuesday after the end of ESU; absence of evidence of vulnerability is by no means evidence of absence.
rapid7: As well as the SharePoint Critical RCE CVE-2023-24955 mentioned above, Microsoft is offering patches for two further SharePoint Server vulnerabilities.
zdi: CVE-2023-24955 – Microsoft SharePoint Server Remote Code Execution Vulnerability. This bug was demonstrated by the STAR Labs team during Pwn2Own Vancouver and was part of a chain used to obtain code execution on the target server. While this specific bug requires authentication, during the contest, it was combined with an authentication bypass. This is what would happen in real-world scenarios as well. Although there are other SharePoint fixes being released this month, additional patches will be required to fully address what was disclosed. Hopefully, we’ll see the remaining Pwn2Own fixes in the coming months.
14. Security Feature Bypass - Microsoft Edge (CVE-2023-2459) - High [436]
Description: {'ms_cve_data_all': 'Chromium: CVE-2023-2459 Inappropriate implementation in Prompts. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to bypass permission restrictions via a crafted HTML page. (Chromium security severity: Medium)', 'combined_cve_data_all': ''}
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.9 | 15 | Security Feature Bypass | |
| 0.8 | 14 | Web browser | |
| 0.7 | 10 | CVSS Base Score is 6.5. According to Vulners data source | |
| 0.5 | 10 | EPSS Probability is 0.00132, EPSS Percentile is 0.46962 |
MS PT Extended: CVE-2023-2459 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
15. Security Feature Bypass - Windows MSHTML Platform (CVE-2023-29324) - High [425]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.9 | 15 | Security Feature Bypass | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 6.5. According to Microsoft data source | |
| 0.4 | 10 | EPSS Probability is 0.00106, EPSS Percentile is 0.42001 |
qualys: Other Microsoft Vulnerability Highlights CVE-2023-24902, an elevation of privilege vulnerability in Win32k that may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24949, Windows kernel elevation of privilege vulnerability with which an attacker could gain SYSTEM privileges on affected systems. CVE-2023-24950, the spoofing vulnerability, allows a privileged attacker to create a site on a vulnerable SharePoint server. An attacker may cause the server to leak its NTLM hash on successful exploitation. CVE-2023-24954, an authenticated attacker may exploit this vulnerability to disclose user tokens and other potentially sensitive information. An attacker could gain the Domain SID prefix for the targeted site on successful exploitation. CVE-2023-29324, the elevation of privilege vulnerability in MSHTML, a browser engine that renders web pages frequently connected to Internet Explorer. Even though the Internet Explorer (IE) 11 desktop application has reached the end of support, MSHTML vulnerabilities are still very much relevant today because the legacy browser engine is still used in various Windows applications. An attacker must take additional actions before exploitation to prepare the target environment. On successful exploitation, an attacker could gain Administrator privileges.
16. 
Denial of Service - Windows SMB (CVE-2023-24898) - High [422]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.7 | 15 | Denial of Service | |
| 1 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0.3 | 10 | EPSS Probability is 0.00069, EPSS Percentile is 0.28216 |
17. Remote Code Execution - Microsoft Excel (CVE-2023-24953) - High [421]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 1.0 | 15 | Remote Code Execution | |
| 0.6 | 14 | MS Office product | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0.4 | 10 | EPSS Probability is 0.00113, EPSS Percentile is 0.43632 |
18. Memory Corruption - Microsoft Edge (CVE-2023-2133) - High [419]
Description: Chromium: CVE-2023-2133
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.6 | 15 | Memory Corruption | |
| 0.8 | 14 | Web browser | |
| 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source | |
| 0.6 | 10 | EPSS Probability is 0.00279, EPSS Percentile is 0.63669 |
MS PT Extended: CVE-2023-2133 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
19. Memory Corruption - Microsoft Edge (CVE-2023-2134) - High [419]
Description: Chromium: CVE-2023-2134
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.6 | 15 | Memory Corruption | |
| 0.8 | 14 | Web browser | |
| 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source | |
| 0.6 | 10 | EPSS Probability is 0.00279, EPSS Percentile is 0.63669 |
MS PT Extended: CVE-2023-2134 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
20. Memory Corruption - Microsoft Edge (CVE-2023-2137) - High [419]
Description: Chromium: CVE-2023-2137 Heap
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.6 | 15 | Memory Corruption | |
| 0.8 | 14 | Web browser | |
| 0.9 | 10 | CVSS Base Score is 8.8. According to Vulners data source | |
| 0.6 | 10 | EPSS Probability is 0.0027, EPSS Percentile is 0.63026 |
MS PT Extended: CVE-2023-2137 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
21. Security Feature Bypass - Microsoft Word (CVE-2023-29335) - High [415]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.9 | 15 | Security Feature Bypass | |
| 0.6 | 14 | MS Office product | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0.5 | 10 | EPSS Probability is 0.00182, EPSS Percentile is 0.54123 |
22. Memory Corruption - Microsoft Edge (CVE-2023-2135) - High [407]
Description: Chromium: CVE-2023-2135
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.6 | 15 | Memory Corruption | |
| 0.8 | 14 | Web browser | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source | |
| 0.6 | 10 | EPSS Probability is 0.00279, EPSS Percentile is 0.63669 |
MS PT Extended: CVE-2023-2135 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
23. Denial of Service - Remote Procedure Call Runtime (CVE-2023-24942) - High [405]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.7 | 15 | Denial of Service | |
| 0.9 | 14 | Remote Procedure Call Runtime | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0.3 | 10 | EPSS Probability is 0.00069, EPSS Percentile is 0.28216 |
24. Remote Code Execution - AV1 Video Extension (CVE-2023-29340) - High [404]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 1.0 | 15 | Remote Code Execution | |
| 0.5 | 14 | AV1 Video Extension | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0.4 | 10 | EPSS Probability is 0.00113, EPSS Percentile is 0.43632 |
rapid7: Two related vulnerabilities in the AV1 video extension are patched this month: CVE-2023-29340 and CVE-2023-29341. A victim who opens a specially-crafted AV1 video file may enable an attacker to run code on their local machine. Only assets with the AV1 video extension installed via the Microsoft Store are vulnerable. This is another one of those arguably counterintuitive RCE vulnerabilities where Microsoft reminds us that “remote” refers to the location of the attacker, rather than the attack, since local user interaction is required.
25. Remote Code Execution - AV1 Video Extension (CVE-2023-29341) - High [404]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 1.0 | 15 | Remote Code Execution | |
| 0.5 | 14 | AV1 Video Extension | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0.4 | 10 | EPSS Probability is 0.00113, EPSS Percentile is 0.43632 |
rapid7: Two related vulnerabilities in the AV1 video extension are patched this month: CVE-2023-29340 and CVE-2023-29341. A victim who opens a specially-crafted AV1 video file may enable an attacker to run code on their local machine. Only assets with the AV1 video extension installed via the Microsoft Store are vulnerable. This is another one of those arguably counterintuitive RCE vulnerabilities where Microsoft reminds us that “remote” refers to the location of the attacker, rather than the attack, since local user interaction is required.
26. Security Feature Bypass - Microsoft Edge (CVE-2023-2460) - High [401]
Description: Chromium: CVE-2023-2460
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.9 | 15 | Security Feature Bypass | |
| 0.8 | 14 | Web browser | |
| 0.7 | 10 | CVSS Base Score is 7.1. According to Vulners data source | |
| 0.2 | 10 | EPSS Probability is 0.00058, EPSS Percentile is 0.22615 |
MS PT Extended: CVE-2023-2460 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
27. Security Feature Bypass - Microsoft Edge (CVE-2023-2467) - High [401]
Description: {'ms_cve_data_all': 'Chromium: CVE-2023-2467 Inappropriate implementation in Prompts. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Prompts in Google Chrome on Android prior to 113.0.5672.63 allowed a remote attacker to bypass permissions restrictions via a crafted HTML page. (Chromium security severity: Low)', 'combined_cve_data_all': ''}
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.9 | 15 | Security Feature Bypass | |
| 0.8 | 14 | Web browser | |
| 0.4 | 10 | CVSS Base Score is 4.3. According to Vulners data source | |
| 0.5 | 10 | EPSS Probability is 0.00127, EPSS Percentile is 0.46042 |
MS PT Extended: CVE-2023-2467 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
28. Denial of Service - Server for NFS (CVE-2023-24939) - Medium [389]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.7 | 15 | Denial of Service | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0.3 | 10 | EPSS Probability is 0.00069, EPSS Percentile is 0.28216 |
29. Denial of Service - Windows Pragmatic General Multicast (PGM) (CVE-2023-24940) - Medium [389]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.7 | 15 | Denial of Service | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0.3 | 10 | EPSS Probability is 0.00069, EPSS Percentile is 0.28216 |
30. Elevation of Privilege - Microsoft Edge (CVE-2023-29350) - Medium [389]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.5 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Web browser | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0.6 | 10 | EPSS Probability is 0.00277, EPSS Percentile is 0.63542 |
MS PT Extended: CVE-2023-29350 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
31. Security Feature Bypass - Microsoft Edge (CVE-2023-29354) - Medium [389]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.9 | 15 | Security Feature Bypass | |
| 0.8 | 14 | Web browser | |
| 0.5 | 10 | CVSS Base Score is 4.7. According to Microsoft data source | |
| 0.3 | 10 | EPSS Probability is 0.0007, EPSS Percentile is 0.28843 |
MS PT Extended: CVE-2023-29354 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
32. Security Feature Bypass - Windows Driver Revocation List (CVE-2023-28251) - Medium [377]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.9 | 15 | Security Feature Bypass | |
| 0.8 | 14 | Windows component | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0.1 | 10 | EPSS Probability is 0.00048, EPSS Percentile is 0.14655 |
33. Remote Code Execution - Microsoft Office (CVE-2023-29344) - Medium [373]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 1.0 | 15 | Remote Code Execution | |
| 0.6 | 14 | Microsoft Office | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
34. 
Information Disclosure - Windows NFS Portmapper (CVE-2023-24901) - Medium [347]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.4 | 15 | Information Disclosure | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0.4 | 10 | EPSS Probability is 0.00114, EPSS Percentile is 0.43733 |
35. Elevation of Privilege - Windows Kernel (CVE-2023-24949) - Medium [346]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.5 | 15 | Elevation of Privilege | |
| 0.9 | 14 | Windows Kernel | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0.1 | 10 | EPSS Probability is 0.00048, EPSS Percentile is 0.14629 |
qualys: Other Microsoft Vulnerability Highlights CVE-2023-24902, an elevation of privilege vulnerability in Win32k that may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24949, Windows kernel elevation of privilege vulnerability with which an attacker could gain SYSTEM privileges on affected systems. CVE-2023-24950, the spoofing vulnerability, allows a privileged attacker to create a site on a vulnerable SharePoint server. An attacker may cause the server to leak its NTLM hash on successful exploitation. CVE-2023-24954, an authenticated attacker may exploit this vulnerability to disclose user tokens and other potentially sensitive information. An attacker could gain the Domain SID prefix for the targeted site on successful exploitation. CVE-2023-29324, the elevation of privilege vulnerability in MSHTML, a browser engine that renders web pages frequently connected to Internet Explorer. Even though the Internet Explorer (IE) 11 desktop application has reached the end of support, MSHTML vulnerabilities are still very much relevant today because the legacy browser engine is still used in various Windows applications. An attacker must take additional actions before exploitation to prepare the target environment. On successful exploitation, an attacker could gain Administrator privileges.
36. Elevation of Privilege - Windows Win32k (CVE-2023-24902) - Medium [346]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.5 | 15 | Elevation of Privilege | |
| 0.9 | 14 | Windows kernel-mode driver | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0.1 | 10 | EPSS Probability is 0.00048, EPSS Percentile is 0.14655 |
qualys: Other Microsoft Vulnerability Highlights CVE-2023-24902, an elevation of privilege vulnerability in Win32k that may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24949, Windows kernel elevation of privilege vulnerability with which an attacker could gain SYSTEM privileges on affected systems. CVE-2023-24950, the spoofing vulnerability, allows a privileged attacker to create a site on a vulnerable SharePoint server. An attacker may cause the server to leak its NTLM hash on successful exploitation. CVE-2023-24954, an authenticated attacker may exploit this vulnerability to disclose user tokens and other potentially sensitive information. An attacker could gain the Domain SID prefix for the targeted site on successful exploitation. CVE-2023-29324, the elevation of privilege vulnerability in MSHTML, a browser engine that renders web pages frequently connected to Internet Explorer. Even though the Internet Explorer (IE) 11 desktop application has reached the end of support, MSHTML vulnerabilities are still very much relevant today because the legacy browser engine is still used in various Windows applications. An attacker must take additional actions before exploitation to prepare the target environment. On successful exploitation, an attacker could gain Administrator privileges.
37. Information Disclosure - Windows NTLM (CVE-2023-24900) - Medium [340]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.4 | 15 | Information Disclosure | |
| 0.9 | 14 | A suite of security protocols to authenticate users' identity and protect the integrity and confidentiality of their activity | |
| 0.6 | 10 | CVSS Base Score is 5.9. According to Microsoft data source | |
| 0.4 | 10 | EPSS Probability is 0.0011, EPSS Percentile is 0.42757 |
38. Elevation of Privilege - SysInternals Sysmon for Windows (CVE-2023-29343) - Medium [329]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.5 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0.1 | 10 | EPSS Probability is 0.00048, EPSS Percentile is 0.14655 |
39. Elevation of Privilege - Windows Backup Service (CVE-2023-24946) - Medium [329]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.5 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0.1 | 10 | EPSS Probability is 0.00048, EPSS Percentile is 0.14655 |
40. Elevation of Privilege - Windows Bluetooth Driver (CVE-2023-24948) - Medium [329]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.5 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 7.4. According to Microsoft data source | |
| 0.2 | 10 | EPSS Probability is 0.00053, EPSS Percentile is 0.18867 |
41. Elevation of Privilege - Windows Graphics Component (CVE-2023-24899) - Medium [317]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.5 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.0769 |
42. Elevation of Privilege - Windows Installer (CVE-2023-24904) - Medium [317]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.5 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 7.1. According to Microsoft data source | |
| 0.1 | 10 | EPSS Probability is 0.00048, EPSS Percentile is 0.14655 |
43. Information Disclosure - Microsoft Remote Desktop app for Windows (CVE-2023-28290) - Medium [311]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.4 | 15 | Information Disclosure | |
| 0.8 | 14 | Windows component | |
| 0.5 | 10 | CVSS Base Score is 5.3. According to Microsoft data source | |
| 0.4 | 10 | EPSS Probability is 0.00102, EPSS Percentile is 0.40418 |
44. Information Disclosure - Windows Bluetooth Driver (CVE-2023-24944) - Medium [311]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.4 | 15 | Information Disclosure | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 6.5. According to Microsoft data source | |
| 0.2 | 10 | EPSS Probability is 0.00052, EPSS Percentile is 0.18105 |
45. 
Spoofing - Microsoft Edge (CVE-2023-2466) - Medium [311]
Description: {'ms_cve_data_all': 'Chromium: CVE-2023-2466 Inappropriate implementation in Prompts. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to spoof the contents of the security UI via a crafted HTML page. (Chromium security severity: Low)', 'combined_cve_data_all': ''}
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.4 | 15 | Spoofing | |
| 0.8 | 14 | Web browser | |
| 0.4 | 10 | CVSS Base Score is 4.3. According to Vulners data source | |
| 0.5 | 10 | EPSS Probability is 0.00122, EPSS Percentile is 0.45257 |
MS PT Extended: CVE-2023-2466 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
46. Information Disclosure - Microsoft SharePoint (CVE-2023-24954) - Medium [307]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.4 | 15 | Information Disclosure | |
| 0.7 | 14 | Microsoft SharePoint | |
| 0.7 | 10 | CVSS Base Score is 6.5. According to Microsoft data source | |
| 0.3 | 10 | EPSS Probability is 0.00068, EPSS Percentile is 0.28078 |
qualys: Other Microsoft Vulnerability Highlights CVE-2023-24902, an elevation of privilege vulnerability in Win32k that may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24949, Windows kernel elevation of privilege vulnerability with which an attacker could gain SYSTEM privileges on affected systems. CVE-2023-24950, the spoofing vulnerability, allows a privileged attacker to create a site on a vulnerable SharePoint server. An attacker may cause the server to leak its NTLM hash on successful exploitation. CVE-2023-24954, an authenticated attacker may exploit this vulnerability to disclose user tokens and other potentially sensitive information. An attacker could gain the Domain SID prefix for the targeted site on successful exploitation. CVE-2023-29324, the elevation of privilege vulnerability in MSHTML, a browser engine that renders web pages frequently connected to Internet Explorer. Even though the Internet Explorer (IE) 11 desktop application has reached the end of support, MSHTML vulnerabilities are still very much relevant today because the legacy browser engine is still used in various Windows applications. An attacker must take additional actions before exploitation to prepare the target environment. On successful exploitation, an attacker could gain Administrator privileges.
rapid7: You could also try your hand at CVE-2023-24954, which allows an authenticated attacker to harvest user tokens from an unpatched system, as well as the Domain SID prefix for the targeted site, which might be worth knowing for an attacker looking to conceal persistence.
47. Spoofing - Microsoft SharePoint (CVE-2023-24950) - Medium [295]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.4 | 15 | Spoofing | |
| 0.7 | 14 | Microsoft SharePoint | |
| 0.7 | 10 | CVSS Base Score is 6.5. According to Microsoft data source | |
| 0.2 | 10 | EPSS Probability is 0.00057, EPSS Percentile is 0.21651 |
qualys: Other Microsoft Vulnerability Highlights CVE-2023-24902, an elevation of privilege vulnerability in Win32k that may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24949, Windows kernel elevation of privilege vulnerability with which an attacker could gain SYSTEM privileges on affected systems. CVE-2023-24950, the spoofing vulnerability, allows a privileged attacker to create a site on a vulnerable SharePoint server. An attacker may cause the server to leak its NTLM hash on successful exploitation. CVE-2023-24954, an authenticated attacker may exploit this vulnerability to disclose user tokens and other potentially sensitive information. An attacker could gain the Domain SID prefix for the targeted site on successful exploitation. CVE-2023-29324, the elevation of privilege vulnerability in MSHTML, a browser engine that renders web pages frequently connected to Internet Explorer. Even though the Internet Explorer (IE) 11 desktop application has reached the end of support, MSHTML vulnerabilities are still very much relevant today because the legacy browser engine is still used in various Windows applications. An attacker must take additional actions before exploitation to prepare the target environment. On successful exploitation, an attacker could gain Administrator privileges.
rapid7: Have you ever wondered how to obtain the NTLM hash of a SharePoint Server host? If so, then CVE-2023-24950 may be just what you’ve been looking for. Although this Spoofing vulnerability requires privileges to create a site on the SharePoint server, that need not be much of a problem, since in many SharePoint environments, this privilege is widely granted.
48. Information Disclosure - Windows iSCSI Target Service (CVE-2023-24945) - Medium [288]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.4 | 15 | Information Disclosure | |
| 0.8 | 14 | Windows component | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0.1 | 10 | EPSS Probability is 0.00048, EPSS Percentile is 0.14655 |
49. Spoofing - Microsoft Edge (CVE-2023-29334) - Medium [288]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.4 | 15 | Spoofing | |
| 0.8 | 14 | Web browser | |
| 0.4 | 10 | CVSS Base Score is 4.3. According to Microsoft data source | |
| 0.3 | 10 | EPSS Probability is 0.00063, EPSS Percentile is 0.25105 |
MS PT Extended: CVE-2023-29334 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
50. Information Disclosure - Visual Studio Code (CVE-2023-29338) - Medium [285]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0.4 | 17 | The exploit's existence is mentioned in Microsoft CVSS Temporal Score (Proof-of-Concept Exploit) | |
| 0.4 | 15 | Information Disclosure | |
| 0.3 | 14 | Integrated development environment | |
| 0.5 | 10 | CVSS Base Score is 5.0. According to Microsoft data source | |
| 0.2 | 10 | EPSS Probability is 0.00054, EPSS Percentile is 0.19714 |
51. Denial of Service - Microsoft Access (CVE-2023-29333) - Medium [272]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.7 | 15 | Denial of Service | |
| 0.6 | 14 | MS Office product | |
| 0.3 | 10 | CVSS Base Score is 3.3. According to Microsoft data source | |
| 0.1 | 10 | EPSS Probability is 0.00048, EPSS Percentile is 0.14655 |
52. Information Disclosure - Teams (CVE-2023-24881) - Medium [254]
Description: Microsoft
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0.4 | 15 | Information Disclosure | |
| 0.6 | 14 | MS Office product | |
| 0.7 | 10 | CVSS Base Score is 6.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
53. 
Unknown Vulnerability Type - Microsoft Edge (CVE-2023-2462) - Medium [240]
Description: {'ms_cve_data_all': 'Chromium: CVE-2023-2462 Inappropriate implementation in Prompts. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to obfuscate main origin data via a crafted HTML page. (Chromium security severity: Medium)', 'combined_cve_data_all': ''}
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0 | 15 | Unknown Vulnerability Type | |
| 0.8 | 14 | Web browser | |
| 0.4 | 10 | CVSS Base Score is 4.3. According to Vulners data source | |
| 0.5 | 10 | EPSS Probability is 0.00122, EPSS Percentile is 0.45257 |
MS PT Extended: CVE-2023-2462 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
54. Unknown Vulnerability Type - Microsoft Edge (CVE-2023-2463) - Medium [240]
Description: {'ms_cve_data_all': 'Chromium: CVE-2023-2463 Inappropriate implementation in Full Screen Mode. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Full Screen Mode in Google Chrome on Android prior to 113.0.5672.63 allowed a remote attacker to hide the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)', 'combined_cve_data_all': ''}
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0 | 15 | Unknown Vulnerability Type | |
| 0.8 | 14 | Web browser | |
| 0.4 | 10 | CVSS Base Score is 4.3. According to Vulners data source | |
| 0.5 | 10 | EPSS Probability is 0.00122, EPSS Percentile is 0.45257 |
MS PT Extended: CVE-2023-2463 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
55. Unknown Vulnerability Type - Microsoft Edge (CVE-2023-2465) - Medium [240]
Description: {'ms_cve_data_all': 'Chromium: CVE-2023-2465 Inappropriate implementation in CORS. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in CORS in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)', 'combined_cve_data_all': ''}
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0 | 15 | Unknown Vulnerability Type | |
| 0.8 | 14 | Web browser | |
| 0.4 | 10 | CVSS Base Score is 4.3. According to Vulners data source | |
| 0.5 | 10 | EPSS Probability is 0.00122, EPSS Percentile is 0.45257 |
MS PT Extended: CVE-2023-2465 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
56. Unknown Vulnerability Type - Microsoft Edge (CVE-2023-2468) - Medium [240]
Description: {'ms_cve_data_all': 'Chromium: CVE-2023-2468 Inappropriate implementation in PictureInPicture. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in PictureInPicture in Google Chrome prior to 113.0.5672.63 allowed a remote attacker who had compromised the renderer process to obfuscate the security UI via a crafted HTML page. (Chromium security severity: Low)', 'combined_cve_data_all': ''}
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0 | 15 | Unknown Vulnerability Type | |
| 0.8 | 14 | Web browser | |
| 0.4 | 10 | CVSS Base Score is 4.3. According to Vulners data source | |
| 0.5 | 10 | EPSS Probability is 0.00122, EPSS Percentile is 0.45257 |
MS PT Extended: CVE-2023-2468 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
57. Unknown Vulnerability Type - Microsoft Edge (CVE-2023-2464) - Medium [204]
Description: {'ms_cve_data_all': 'Chromium: CVE-2023-2464 Inappropriate implementation in PictureInPicture. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in PictureInPicture in Google Chrome prior to 113.0.5672.63 allowed an attacker who convinced a user to install a malicious extension to perform an origin spoof in the security UI via a crafted HTML page. (Chromium security severity: Medium)', 'combined_cve_data_all': ''}
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites | |
| 0 | 17 | The exploit's existence is NOT mentioned on Vulners and Microsoft websites. | |
| 0 | 15 | Unknown Vulnerability Type | |
| 0.8 | 14 | Web browser | |
| 0.4 | 10 | CVSS Base Score is 4.3. According to Vulners data source | |
| 0.2 | 10 | EPSS Probability is 0.00055, EPSS Percentile is 0.20853 |
MS PT Extended: CVE-2023-2464 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
Memory Corruption (2)MS PT Extended: CVE-2023-2033 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
MS PT Extended: CVE-2023-2136 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
Security Feature Bypass (1)qualys: CVE-2023-24932: Secure Boot Security Feature Bypass Vulnerability Secure Boot is a crucial security feature that helps prevent malicious software from loading while the computer boots. This security standard maintains computers’ safety by ensuring that the device boots only using trusted software provided by the Original Equipment Manufacturer (OEM). An attacker with physical access or administrative permissions to a target device may exploit this vulnerability to install an affected boot policy. On successful exploitation, an attacker can bypass the Secure Boot.
qualys: CVE-2023-24932: Secure Boot Security Feature Bypass Vulnerability This vulnerability has a CVSSv3.1 score of 6.7/10. This CVE needs a patch as well as post patch config change. Steps for revocations:1. Apply both revocations from the script. 2. Restart the asset. 3. Verify the installation and revocation list from the script. 4. Wait for Five mins and then restart again. Important: An additional restart is required to fully initialize the revocation protections. Caution: Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device. Even reformatting of the disk will not remove the revocations if they have already been applied. Please be aware of all the possible implications and test thoroughly before applying the revocations that are outlined in this article to your device.
tenable: CVE-2023-24932 | Secure Boot Security Feature Bypass Vulnerability
tenable: CVE-2023-24932 is a security feature bypass vulnerability in Secure Boot in Windows operating systems, which allows for running of untrusted software during the boot up process. It was publicly disclosed and exploited in the wild as a zero-day prior to a patch being available. The flaw was given a CVSSv3 score of 6.7. Exploitation of this vulnerability requires an attacker to have administrative rights or physical access to the vulnerable device, so Microsoft has rated this as “Exploitation Less Likely” according to Microsoft’s Exploitability Index.
tenable: According to the advisory, additional steps must be taken to mitigate this vulnerability. These steps are outlined in KB5025885 which specifies that the May 9, 2023 Windows security updates must be installed first. The KB article notes that this update and the associated mitigation steps are necessary due to the publicly disclosed bypass being used by the BlackLotus UEFI bootkit. More information can be found in a blog post by ESET who are also credited with disclosing CVE-2023-24932 to Microsoft alongside Tomer Sne-or with SentinelOne.
tenable: CVE-2023-24932 is the fourth security feature bypass vulnerability disclosed in 2023 in either Windows Boot Manager or Secure Boot. In April’s Patch Tuesday release, Microsoft addressed CVE-2023-28269 and CVE-2023-28249, and in January’s Patch Tuesday release, Microsoft addressed CVE-2023-21560.
rapid7: First up: a zero-day Secure Boot Security Feature Bypass vulnerability which is actively exploited by the BlackLotus bootkit malware. Microsoft warns that an attacker who already has Administrator access to an unpatched asset could exploit CVE-2023-24932 without necessarily having physical access. The relatively low CVSSv3 base score of 6.7 isn’t necessarily a reliable metric in this case.
rapid7: Administrators should be aware that additional actions are required for remediation of CVE-2023-24932 beyond simply applying the patches. The patch enables the configuration options necessary for protection, but administrators must apply changes to UEFI config after patching. Attack surface is not limited to physical assets, either; Windows assets running on some VMs, including Azure assets with Secure Boot enabled, also require these extra remediation steps for protection. Rapid7 has noted in the past that enabling Secure Boot is a foundational protection against driver-based attacks. Defenders ignore this vulnerability at their peril.
Elevation of Privilege (1)qualys: CVE-2023-29336: Win32k Elevation of Privilege Vulnerability The vulnerability exists in Win32k, a Windows Core Library, and is known to be exploited in the wild. An attacker with local access may exploit this vulnerability in a low-complexity attack without needing any privileges. An attacker could gain SYSTEM privileges on the affected system after successful exploitation. CISA has added the CVE-2023-29336 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before May 30, 2023.
tenable: Microsoft’s May 2023 Patch Tuesday Addresses 38 CVEs (CVE-2023-29336)
tenable: CVE-2023-29336 | Win32k Elevation of Privilege Vulnerability
tenable: CVE-2023-29336 is an EoP vulnerability in Microsoft’s Win32k, a core kernel-side driver used in Windows. This vulnerability received a CVSSv3 score of 7.8 and was exploited in the wild as a zero-day. Exploitation of this vulnerability would allow an attacker to gain SYSTEM level privileges on an affected host. Over the last few years, we have seen multiple Win32k EoP zero days exploited in the wild. In the January 2022 Patch Tuesday release, Microsoft patched CVE-2022-21882. CVE-2022-21882 was reportedly a patch bypass for CVE-2021-1732, another Win32k EoP zero day vulnerability from February 2021. In October 2021, Microsoft patched CVE-2021-40449, another Win32k EoP zero day linked to a remote access trojan known as MysterySnail and was reportedly a patch bypass for CVE-2016-3309. It is unclear if CVE-2023-29336 is also a patch bypass.
rapid7: The second of this month’s zero-day trio is an RCE vulnerability targeting Outlook users, as well as Windows Explorer. The vulnerability is in the proprietary Microsoft Object Linking and Embedding (OLE) layer, which allows embedding and linking to documents and other objects, and the Microsoft bulletin for CVE-2023-29336 suggests that the attack is likely conducted via a specially-crafted Rich Text File (RTF). All current versions of Windows are vulnerable, and viewing the malicious file via the Preview pane is one route to exploitation; however, successful exploitation requires an attacker to win a race condition and to otherwise prepare the target environment. This should significantly reduce the real-world impact of this vulnerability. Mitigations include disabling the Preview Pane, as well as configuring Outlook to read all emails in plain text mode. Microsoft is not aware of public disclosure, but has detected in-the-wild exploitation.
zdi: CVE-2023-29336 – Win32k Elevation of Privilege Vulnerability. This is the one bug listed as being under active attack at the time of release, and you must go all the way back to May of last year before you find a month where there wasn’t at least one Microsoft bug under active attack. This type of privilege escalation is usually combined with a code execution bug to spread malware. Considering this was reported by an AV company, that seems the likely scenario here. As always, Microsoft offers no information about how widespread these attacks may be.
Remote Code Execution (12)qualys: CVE-2023-29325: Windows OLE Remote Code Execution Vulnerability OLE (Object Linking and Embedding) is a mechanism to help users create and edit documents containing “objects” made by multiple applications. Sound clips, spreadsheets, and bitmaps are examples of OLE document components. There are two prerequisites for the exploitation of this vulnerability: Winning a race condition Taking additional actions before exploitation to prepare the target environment. An attacker could exploit this vulnerability in an email attack by sending a specially crafted email. A user may be tricked into opening a specifically crafted email using an affected version of Microsoft Outlook, or a victim’s Outlook application could preview a specially crafted email. As a result, an attacker may perform remote code execution on the victim’s computer.
qualys: CVE-2023-29325: Windows OLE Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 8.1 / 7.3. Policy Compliance Control IDs (CIDs): 13818 Status of the ‘Read e-mail as plain text‘ group policy setting 13815 Status of the ‘Read signed e-mail as plain text‘ group policy setting
tenable: CVE-2023-29325 | Windows OLE Remote Code Execution Vulnerability
tenable: CVE-2023-29325 is a RCE in the Windows Object Linking and Embedding (OLE) mechanism of Windows operating systems that was publicly disclosed and given a CVSSv3 score of 8.1. Windows OLE is a technology that allows the creation of documents that contain objects from several applications. The vulnerability lies in the processing of RTF documents and emails. Microsoft said that the Preview Pane feature in Microsoft Outlook and Office is a vector for exploitation. An unauthenticated, remote attacker can exploit this vulnerability by sending a specially crafted document to a vulnerable system. However, the vulnerability has been given a high complexity as successful exploitation requires the attacker to win a race condition and the target to be prepared for exploitation.
zdi: CVE-2023-29325 – Windows OLE Remote Code Execution Vulnerability. While the title says OLE, when it comes to this bug, the real component to worry about is Outlook. This vulnerability allows an attacker to execute their code on an affected system by sending a specially crafted RTF e-mail. The Preview Pane is an attack vector, so a target doesn’t even need to read the crafted message. And while Outlook is the more likely exploit vector, other Office applications are also impacted. This is one of the publicly known bugs patched this month and has been widely discussed on Twitter. Although Microsoft offers some workarounds, it’s a better idea to test and deploy this update quickly.
qualys: CVE-2023-24941: Windows Network File System Remote Code Execution Vulnerability Network File System (NFS) offers a file-sharing solution for enterprises with heterogeneous environments, including Windows and non-Windows computers. The NFS protocol helps transfer files between Windows computers, Linux or UNIX. The vulnerability affects the NFSV4. A local attacker with network access can exploit this vulnerability by making an unauthenticated, specially crafted call to a Network File System (NFS) service that triggers remote code execution.
qualys: CVE-2023-24941: Windows Network File System Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 9.8 / 8.5. Policy Compliance Control IDs (CIDs): 24139 Status of the Windows Network File System (NFSV4) service
qualys: CVE-2023-24941: Windows Network File System Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10.
tenable: CVE-2023-24941 | Windows Network File System Remote Code Execution Vulnerability
tenable: CVE-2023-24941 is a critical RCE vulnerability affecting supported versions of Windows Server that was given a CVSSv3 score of 9.8. The affected component is the Network File System (NFS) service, which is used for file sharing between Unix and Windows Server systems. Specifically the vulnerability affects NFSV4.1, but not NFSV2.0 or NFSV3.0. CVE-2023-24941 can be exploited by a remote, unauthenticated attacker sending a malicious call to a vulnerable server.
rapid7: Although Microsoft is not aware of public disclosure or in-the-wild exploitation, Network File System (NFS) RCE vulnerability CVE-2023-24941 is a network attack with low complexity affecting Windows assets running NFS v4.1. As a mitigation prior to patching, Microsoft recommends disabling NFSv4.1 and then re-enabling it once the patch is applied, although this may impact functionality. OIder versions of NFS (NFSv3 and NFSv2) are not affected by this vulnerability. Microsoft warns that assets which haven’t been patched for over a year would be vulnerable to CVE-2022-26937 which is a Critical vulnerability in NFSV2.0 and NFSV3.0. In other words: applying today’s mitigation to an asset missing the May 2022 patches would effectively cause a downgrade attack.
zdi: CVE-2023-24941 – Windows Network File System Remote Code Execution Vulnerability. This bug has been given a CVSS of 9.8 and allows a remote, unauthenticated attacker to run arbitrary code on an affected system with elevated privileges. No user interaction is required. Another interesting thing about this vulnerability is that exists in NFS version 4.1 but not versions NFSv2.0 or NFSv3.0. You can mitigate this bug by downgrading to a previous version, but Microsoft warns that you should not use this mitigation unless you have the CVE-2022-26937 patch from May 2022 installed. The better idea is to test and deploy this month’s fix instead.
qualys: CVE-2023-24943: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Pragmatic General Multicast (PGM) is a multicast computer network transport protocol appropriate for multi-receiver file transfer applications. PGM provides a reliable sequence of packets to multiple recipients simultaneously. Only PGM Server is vulnerable to this flaw. When the Windows Message Queuing service runs in a PGM Server environment, an attacker may send a specially crafted file over the network to achieve remote code execution and trigger malicious code.
qualys: CVE-2023-24943: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 9.8 / 8.5. Policy Compliance Control IDs (CIDs): 4030 Status of the ‘Windows Message Queuing Service‘ The following QQL will return a posture assessment for the CIDs for this Patch Tuesday: control.id: [13818, 13815, 24139, 4030]
rapid7: CVE-2023-24943 describes a vulnerability in Windows Pragmatic General Multicast (PGM), and is a concern only for assets running Windows Message Queuing Service (MSQS) in a PGM environment. Microsoft recommends newer alternatives to PGM in the advisory. A further two critical RCE for MSQS were patched last month, and the continued flow of vulnerabilities suggests that MSQS will continue to be an area of interest for security researchers. Although MSQS is not installed by default, some software, including some versions of Microsoft Exchange Server, will helpfully enable it as part of their own installation routine.
qualys: CVE-2023-28283: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability The Lightweight Directory Access Protocol (LDAP) operates a layer above the TCP/IP stack. The directory service protocol helps connect, browse, and edit online directories. The LDAP directory service is based on a client-server model that enables access to an existing directory. LDAP stores data in the LDAP directory and authenticates users to access the directory. An unauthenticated attacker must win a race condition to exploit this vulnerability. On successful exploitation, an attacker could perform remote code execution within the context of the LDAP service with the help of a specially crafted set of LDAP requests.
rapid7: The final Critical RCE this month is CVE-2023-28283, which is also a high-complexity network-vector attack involving a race condition. In this case, the attack is conducted via a specially-crafted set of LDAP calls.
qualys: CVE-2023-24903: Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability Secure Socket Tunneling Protocol (SSTP) is a type of virtual private network (VPN) tunnel. The protocol helps to transport PPP traffic through an SSL/TLS channel. SSL/TLS provides transport-level security with encryption and traffic integrity checking. An attacker must win a race condition to exploit this vulnerability. To exploit this vulnerability, an attacker may send a specially crafted malicious SSTP packet to an SSTP server. On successful exploitation, the attacker may perform remote code execution on the server side.
rapid7: Long-standing Patch Tuesday entrant Windows Secure Socket Tunneling Protocol (SSTP) provides CVE-2023-24903 this month, which is a critical RCE involving sending a specially crafted SSTP packet to an SSTP server and winning a race condition. This qualifies as high attack complexity, and Microsoft considers exploitation less likely.
rapid7: “Windows Remote Desktop” and “Remote Code Execution” can be a very potent combination, as defenders who remember the BlueKeep vulnerability are acutely aware. However, while CVE-2023-24905 is interesting, it is an altogether different and less threatening animal. Opening a specially-crafted malicious .rdp file on an unpatched asset can now lead to code execution in the context of the client, although the user must open the file locally – but the .rdp file could be hosted remotely on a file share.
qualys: CVE-2023-24955: Microsoft SharePoint Server Remote Code Execution Vulnerability Microsoft SharePoint is a web-based document management and collaboration platform that strengthens teamwork. The application helps in sharing files, data, news, and resources. An attacker is required to authenticate as a Site Owner to exploit this vulnerability. The vulnerability will allow an attacker to perform remote code execution on the SharePoint Server.
rapid7: Another candidate for inclusion in an exploit chain is SharePoint Critical RCE CVE-2023-24955, which requires the attacker to authenticate as Site Owner to run code on the SharePoint Server host. Microsoft assesses this one as Exploitation More Likely, due in part to the low attack complexity. SharePoint Server 2016, 2019, and Subscription Edition are all vulnerable until patched. Anyone still running SharePoint Server 2013 should upgrade immediately, as May 2023 is the first Patch Tuesday after the end of ESU; absence of evidence of vulnerability is by no means evidence of absence.
rapid7: As well as the SharePoint Critical RCE CVE-2023-24955 mentioned above, Microsoft is offering patches for two further SharePoint Server vulnerabilities.
zdi: CVE-2023-24955 – Microsoft SharePoint Server Remote Code Execution Vulnerability. This bug was demonstrated by the STAR Labs team during Pwn2Own Vancouver and was part of a chain used to obtain code execution on the target server. While this specific bug requires authentication, during the contest, it was combined with an authentication bypass. This is what would happen in real-world scenarios as well. Although there are other SharePoint fixes being released this month, additional patches will be required to fully address what was disclosed. Hopefully, we’ll see the remaining Pwn2Own fixes in the coming months.
rapid7: Two related vulnerabilities in the AV1 video extension are patched this month: CVE-2023-29340 and CVE-2023-29341. A victim who opens a specially-crafted AV1 video file may enable an attacker to run code on their local machine. Only assets with the AV1 video extension installed via the Microsoft Store are vulnerable. This is another one of those arguably counterintuitive RCE vulnerabilities where Microsoft reminds us that “remote” refers to the location of the attacker, rather than the attack, since local user interaction is required.
Security Feature Bypass (8)MS PT Extended: CVE-2023-24934 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
MS PT Extended: CVE-2023-2467 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
MS PT Extended: CVE-2023-2460 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
MS PT Extended: CVE-2023-29354 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
MS PT Extended: CVE-2023-2459 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
qualys: Other Microsoft Vulnerability Highlights CVE-2023-24902, an elevation of privilege vulnerability in Win32k that may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24949, Windows kernel elevation of privilege vulnerability with which an attacker could gain SYSTEM privileges on affected systems. CVE-2023-24950, the spoofing vulnerability, allows a privileged attacker to create a site on a vulnerable SharePoint server. An attacker may cause the server to leak its NTLM hash on successful exploitation. CVE-2023-24954, an authenticated attacker may exploit this vulnerability to disclose user tokens and other potentially sensitive information. An attacker could gain the Domain SID prefix for the targeted site on successful exploitation. CVE-2023-29324, the elevation of privilege vulnerability in MSHTML, a browser engine that renders web pages frequently connected to Internet Explorer. Even though the Internet Explorer (IE) 11 desktop application has reached the end of support, MSHTML vulnerabilities are still very much relevant today because the legacy browser engine is still used in various Windows applications. An attacker must take additional actions before exploitation to prepare the target environment. On successful exploitation, an attacker could gain Administrator privileges.
Denial of Service (5)Memory Corruption (4)MS PT Extended: CVE-2023-2137 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
MS PT Extended: CVE-2023-2133 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
MS PT Extended: CVE-2023-2134 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
MS PT Extended: CVE-2023-2135 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
Elevation of Privilege (8)MS PT Extended: CVE-2023-29350 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
qualys: Other Microsoft Vulnerability Highlights CVE-2023-24902, an elevation of privilege vulnerability in Win32k that may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24949, Windows kernel elevation of privilege vulnerability with which an attacker could gain SYSTEM privileges on affected systems. CVE-2023-24950, the spoofing vulnerability, allows a privileged attacker to create a site on a vulnerable SharePoint server. An attacker may cause the server to leak its NTLM hash on successful exploitation. CVE-2023-24954, an authenticated attacker may exploit this vulnerability to disclose user tokens and other potentially sensitive information. An attacker could gain the Domain SID prefix for the targeted site on successful exploitation. CVE-2023-29324, the elevation of privilege vulnerability in MSHTML, a browser engine that renders web pages frequently connected to Internet Explorer. Even though the Internet Explorer (IE) 11 desktop application has reached the end of support, MSHTML vulnerabilities are still very much relevant today because the legacy browser engine is still used in various Windows applications. An attacker must take additional actions before exploitation to prepare the target environment. On successful exploitation, an attacker could gain Administrator privileges.
qualys: Other Microsoft Vulnerability Highlights CVE-2023-24902, an elevation of privilege vulnerability in Win32k that may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24949, Windows kernel elevation of privilege vulnerability with which an attacker could gain SYSTEM privileges on affected systems. CVE-2023-24950, the spoofing vulnerability, allows a privileged attacker to create a site on a vulnerable SharePoint server. An attacker may cause the server to leak its NTLM hash on successful exploitation. CVE-2023-24954, an authenticated attacker may exploit this vulnerability to disclose user tokens and other potentially sensitive information. An attacker could gain the Domain SID prefix for the targeted site on successful exploitation. CVE-2023-29324, the elevation of privilege vulnerability in MSHTML, a browser engine that renders web pages frequently connected to Internet Explorer. Even though the Internet Explorer (IE) 11 desktop application has reached the end of support, MSHTML vulnerabilities are still very much relevant today because the legacy browser engine is still used in various Windows applications. An attacker must take additional actions before exploitation to prepare the target environment. On successful exploitation, an attacker could gain Administrator privileges.
Information Disclosure (8)qualys: Other Microsoft Vulnerability Highlights CVE-2023-24902, an elevation of privilege vulnerability in Win32k that may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24949, Windows kernel elevation of privilege vulnerability with which an attacker could gain SYSTEM privileges on affected systems. CVE-2023-24950, the spoofing vulnerability, allows a privileged attacker to create a site on a vulnerable SharePoint server. An attacker may cause the server to leak its NTLM hash on successful exploitation. CVE-2023-24954, an authenticated attacker may exploit this vulnerability to disclose user tokens and other potentially sensitive information. An attacker could gain the Domain SID prefix for the targeted site on successful exploitation. CVE-2023-29324, the elevation of privilege vulnerability in MSHTML, a browser engine that renders web pages frequently connected to Internet Explorer. Even though the Internet Explorer (IE) 11 desktop application has reached the end of support, MSHTML vulnerabilities are still very much relevant today because the legacy browser engine is still used in various Windows applications. An attacker must take additional actions before exploitation to prepare the target environment. On successful exploitation, an attacker could gain Administrator privileges.
rapid7: You could also try your hand at CVE-2023-24954, which allows an authenticated attacker to harvest user tokens from an unpatched system, as well as the Domain SID prefix for the targeted site, which might be worth knowing for an attacker looking to conceal persistence.
Spoofing (3)MS PT Extended: CVE-2023-29334 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
MS PT Extended: CVE-2023-2466 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
qualys: Other Microsoft Vulnerability Highlights CVE-2023-24902, an elevation of privilege vulnerability in Win32k that may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24949, Windows kernel elevation of privilege vulnerability with which an attacker could gain SYSTEM privileges on affected systems. CVE-2023-24950, the spoofing vulnerability, allows a privileged attacker to create a site on a vulnerable SharePoint server. An attacker may cause the server to leak its NTLM hash on successful exploitation. CVE-2023-24954, an authenticated attacker may exploit this vulnerability to disclose user tokens and other potentially sensitive information. An attacker could gain the Domain SID prefix for the targeted site on successful exploitation. CVE-2023-29324, the elevation of privilege vulnerability in MSHTML, a browser engine that renders web pages frequently connected to Internet Explorer. Even though the Internet Explorer (IE) 11 desktop application has reached the end of support, MSHTML vulnerabilities are still very much relevant today because the legacy browser engine is still used in various Windows applications. An attacker must take additional actions before exploitation to prepare the target environment. On successful exploitation, an attacker could gain Administrator privileges.
rapid7: Have you ever wondered how to obtain the NTLM hash of a SharePoint Server host? If so, then CVE-2023-24950 may be just what you’ve been looking for. Although this Spoofing vulnerability requires privileges to create a site on the SharePoint server, that need not be much of a problem, since in many SharePoint environments, this privilege is widely granted.
Unknown Vulnerability Type (5)MS PT Extended: CVE-2023-2464 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
MS PT Extended: CVE-2023-2465 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
MS PT Extended: CVE-2023-2468 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
MS PT Extended: CVE-2023-2462 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08
MS PT Extended: CVE-2023-2463 was published before May 2023 Patch Tuesday from 2023-04-12 to 2023-05-08