Back to KEVs

CVE-2023-36884

Windows Search Remote Code Execution Vulnerability

Basic Information

CVE State
PUBLISHED
Reserved Date
June 27, 2023
Published Date
July 11, 2023
Last Updated
February 03, 2025
Vendor
Microsoft
Product
Windows 10 Version 1809, Windows Server 2019, Windows Server 2019 (Server Core installation), Windows Server 2022, Windows 11 version 21H2, Windows 10 Version 21H2, Windows 11 version 22H2, Windows 10 Version 22H2, Windows 10 Version 1507, Windows 10 Version 1607, Windows Server 2016, Windows Server 2016 (Server Core installation), Windows Server 2008 Service Pack 2, Windows Server 2008 Service Pack 2 (Server Core installation), Windows Server 2008 Service Pack 2, Windows Server 2008 R2 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Server Core installation), Windows Server 2012, Windows Server 2012 (Server Core installation), Windows Server 2012 R2, Windows Server 2012 R2 (Server Core installation)
Description
Windows Search Remote Code Execution Vulnerability
Tags
windows cisa malware ransomware nessus_scanner microsoft

CVSS Scores

CVSS v3.1

7.5 - HIGH

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2023-07-17 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2023-07-28 20:39:37 UTC) Source
Used in Malware
Yes (added 2023-07-17 00:00:00 UTC) Source

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

Known Exploited Vulnerability Information

Source Added Date
CISA 2023-07-17 00:00:00 UTC

Recent Mentions

Written by: Casey Charrier, James Sadowski, Clement Lecigne, Vlad Stolyarov Executive Summary Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). We divided the reviewed vulnerabilities into two main categories: end-user platforms and products (e.g., mobile devices, operating systems, and browsers) and enterprise-focused technologies, such as security software and appliances.  Vendors continue to drive improvements that make some zero-day exploitation harder, demonstrated by both dwindling numbers across multiple categories and reduced observed attacks against previously popular targets. At the same time, commercial surveillance vendors (CSVs) appear to be increasing their operational security practices, potentially leading to decreased attribution and detection. We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies. While the historic focus on the exploitation of popular end-user technologies and their users continues, the shift toward increased targeting of enterprise-focused products will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day exploitation attempts. For a deeper look at the trends discussed in this report, along with recommendations for defenders, register for our upcoming zero-day webinar. Scope  This report describes what Google Threat Intelligence Group (GTIG) knows about zero-day exploitation in 2024. We discuss how targeted vendors and exploited products drive trends that reflect threat actor goals and shifting exploitation approaches, and then closely examine several examples of zero-day exploitation from...

Scanner Integrations

Scanner URL Date Detected
Nessus https://www.tenable.com/plugins/nessus/178275 2023-07-13 22:06:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

jakabakos/CVE-2023-36884-MS-Office-HTML-RCE

Type: github • Created: 2023-09-28 11:53:44 UTC • Stars: 40

MS Office and Windows HTML RCE (CVE-2023-36884) - PoC and exploit

raresteak/CVE-2023-36884

Type: github • Created: 2023-07-30 14:53:25 UTC • Stars: 1

#comeonits2023 #ie9 #Storm-0978

ridsoliveira/Fix-CVE-2023-36884

Type: github • Created: 2023-07-28 20:39:37 UTC • Stars: 2

tarraschk/CVE-2023-36884-Checker

Type: github • Created: 2023-07-17 14:02:40 UTC • Stars: 14

Script to check for CVE-2023-36884 hardening

zerosorai/CVE-2023-36884

Type: github • Created: 2023-07-15 16:56:18 UTC • Stars: 2

This is an emergency solution while Microsoft addresses the vulnerability.

Maxwitat/CVE-2023-36884-Scripts-for-Intune-Remediation-SCCM-Compliance-Baseline

Type: github • Created: 2023-07-12 14:13:20 UTC • Stars: 25

The remediation script should set the reg entries described in https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 . The detection script checks if they exist. Provided AS-IS without any warrenty.

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nessus

  • Exploit Used in Malware

  • Added to KEVIntel

  • Proof of Concept Exploit Available