CVE-2023-28229 Overview
CVE-2023-28229 is an elevation of privilege vulnerability in the Windows Cryptography Next Generation (CNG) Key Isolation Service. An authenticated local attacker who successfully exploits this flaw can gain SYSTEM-level privileges on affected Windows endpoints and servers. The vulnerability is tracked under [CWE-591] (Sensitive Data Storage in Improperly Locked Memory) and affects nearly every supported version of Windows, from Windows 10 1507 through Windows 11 22H2 and Windows Server 2008 through Server 2022. CISA added CVE-2023-28229 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.
Critical Impact
Local attackers can elevate to SYSTEM privileges through the CNG Key Isolation Service, leading to full host compromise, credential theft, and lateral movement.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 20H2, 21H2, 22H2)
- Microsoft Windows 11 (21H2, 22H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, and 2022
Discovery Timeline
- 2023-04-11 - CVE-2023-28229 published to NVD and Microsoft releases security patch
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2023-28229
Vulnerability Analysis
The CNG Key Isolation Service (keyiso) runs inside the lsass.exe process and provides key process isolation for private keys and associated cryptographic operations as required by Common Criteria. The service exposes a set of LRPC interfaces that user-mode processes invoke to perform key generation, signing, and decryption operations using protected key material.
CVE-2023-28229 stems from sensitive data being stored in improperly locked memory within the CNG Key Isolation Service [CWE-591]. By manipulating the service through its interfaces, a low-privileged local user can trigger conditions that expose key material or service state, ultimately gaining the SYSTEM token that the service runs under. Successful exploitation results in confidentiality, integrity, and availability compromise of the entire host.
Root Cause
The root cause is improper memory protection of sensitive cryptographic state inside the CNG Key Isolation Service. Memory regions that should remain locked and inaccessible to lower-privileged callers are reachable through the service's interfaces. This violates the isolation boundary the service is designed to enforce between user-mode callers and SYSTEM-context key operations.
Attack Vector
Exploitation requires local access and valid low-privilege credentials on the target host. An attacker invokes the CNG Key Isolation Service through its local RPC interface and triggers the flawed code path to influence privileged service state. Attack complexity is high because the attacker must win specific conditions inside the service. No user interaction is required, and once exploited the attacker executes arbitrary code as NT AUTHORITY\SYSTEM. Refer to the Microsoft Security Update for CVE-2023-28229 for vendor technical details.
Detection Methods for CVE-2023-28229
Indicators of Compromise
- Unexpected child processes or threads spawned from lsass.exe running with SYSTEM privileges shortly after a low-privileged user logon.
- Anomalous LRPC calls from non-administrative user sessions to the CNG Key Isolation Service (keyiso).
- New scheduled tasks, services, or local accounts created by a process whose parent is a standard user shell.
- Crash dumps or Application Error events referencing lsass.exe or ncrypt.dll on unpatched hosts.
Detection Strategies
- Hunt for token manipulation patterns where a process inherits a SYSTEM token after interacting with the CNG Key Isolation Service from a non-privileged context.
- Correlate Windows Security event ID 4672 (special privileges assigned) with the spawning user context to identify unexpected privilege grants.
- Monitor Sysmon Event ID 10 (ProcessAccess) calls targeting lsass.exe from unusual source processes with PROCESS_VM_READ or PROCESS_QUERY_INFORMATION access rights.
Monitoring Recommendations
- Enable Protected Process Light (PPL) for LSASS and audit any process attempting to access it.
- Forward Microsoft-Windows-Crypto-NCrypt/Operational and Security channel logs to a centralized SIEM for correlation across hosts.
- Baseline normal CNG service activity per host role and alert on deviations, particularly from interactive user sessions.
How to Mitigate CVE-2023-28229
Immediate Actions Required
- Apply the April 2023 Microsoft security updates that address CVE-2023-28229 to all affected Windows client and server versions.
- Prioritize patching of multi-user systems, jump hosts, terminal servers, and any endpoint where untrusted local code may execute.
- Rotate cryptographic keys and credentials on hosts suspected of compromise, as SYSTEM-level access invalidates trust in stored secrets.
- Audit local accounts and remove unnecessary interactive logon rights to reduce the local attack surface.
Patch Information
Microsoft released patches for all supported Windows versions on April 11, 2023. Administrators should consult the Microsoft Security Update Guide for CVE-2023-28229 for the specific KB article applicable to each operating system build. Given CISA KEV listing, federal agencies and regulated organizations should treat remediation as time-bound. See the CISA Known Exploited Vulnerabilities Catalog entry for compliance deadlines.
Workarounds
- No official Microsoft workaround exists. Patching is the only supported remediation.
- Restrict local logon rights and enforce least privilege via Group Policy to limit which users can reach the local attack vector.
- Enable LSA protection (RunAsPPL) and Credential Guard where supported to harden lsass.exe against tampering.
# Enable LSA Protection (RunAsPPL) on Windows hosts
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f
# Verify the April 2023 cumulative update is installed
wmic qfe list brief | findstr /i "KB502"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
