Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2023-28285

CVE-2023-28285: Microsoft 365 Apps RCE Vulnerability

CVE-2023-28285 is a remote code execution vulnerability in Microsoft 365 Apps that allows attackers to execute arbitrary code. This article covers the technical details, affected versions, security impact, and mitigation.

Updated:

CVE-2023-28285 Overview

CVE-2023-28285 is a remote code execution vulnerability affecting Microsoft Office and Microsoft 365 Apps. The flaw is rooted in a use-after-free condition tracked as [CWE-416], where Office mishandles memory references when parsing crafted document content. Exploitation requires a user to open a malicious file delivered through email, web download, or another local vector. Successful exploitation lets an attacker execute arbitrary code in the context of the current user. Microsoft addressed the issue in the April 2023 Patch Tuesday release.

Critical Impact

An attacker who convinces a user to open a malicious Office document can execute code with the privileges of the logged-on user, leading to full account compromise on macOS and Windows installations.

Affected Products

  • Microsoft 365 Apps - Enterprise edition
  • Microsoft Office 2019 for macOS
  • Microsoft Office Long Term Servicing Channel (LTSC) 2021 for macOS

Discovery Timeline

  • 2023-04-11 - CVE-2023-28285 published to the National Vulnerability Database
  • 2023-04-11 - Microsoft released security update guidance for CVE-2023-28285
  • 2025-01-01 - Last updated in NVD database

Technical Details for CVE-2023-28285

Vulnerability Analysis

The vulnerability is a use-after-free condition in Microsoft Office's document parsing components. The defect is classified under [CWE-416]. An attacker crafts a malicious Office document that triggers the freeing of a memory object while a dangling reference to that object remains in use. When Office later dereferences the stale pointer, the attacker controls the contents of the freed allocation and can divert execution flow.

Exploitation requires user interaction. The victim must open the weaponized document on a vulnerable build of Microsoft 365 Apps or Office for macOS. The attack runs locally on the host but the malicious payload itself can be delivered through phishing, drive-by download, or shared collaboration channels.

Code executes at the privilege level of the user running Office. On systems where users operate with administrative rights, the attacker gains full host control. The Packet Storm advisories describe a working proof-of-concept against Microsoft 365 MSO build 16.0.16501.20074.

Root Cause

Office releases a heap-allocated object during document processing without invalidating all references that point to it. A subsequent operation reuses the dangling pointer, allowing controlled memory to be interpreted as a valid object. Attackers spray the heap to place attacker-controlled data at the freed location, then trigger the dereference to redirect execution.

Attack Vector

The attack vector is local with required user interaction. An attacker delivers a malicious .docx, .xlsx, or other Office-supported file to the target. When the user opens the file, Office parses the embedded content and triggers the use-after-free path. No network privileges or prior authentication are required on the targeted system.

The vulnerability mechanism is documented in the Packet Storm Remote Code Execution advisory and the Packet Storm MS 365 RCE advisory. Refer to these references for exploit specifics rather than synthesized code.

Detection Methods for CVE-2023-28285

Indicators of Compromise

  • Microsoft Office processes (winword.exe, excel.exe, powerpoint.exe, or macOS equivalents) spawning unexpected child processes such as cmd.exe, powershell.exe, bash, or osascript.
  • Office applications writing executables, scripts, or LaunchAgent plists to user-writable directories shortly after a document is opened.
  • Crash telemetry from Office binaries referencing access violations in document parsing components, consistent with use-after-free exploitation attempts.
  • Outbound network connections originating from Office processes to previously unseen domains or IP addresses immediately after document open events.

Detection Strategies

  • Hunt for Office parent-child process anomalies using EDR telemetry, focusing on script interpreters and living-off-the-land binaries.
  • Correlate Office process crashes with subsequent suspicious file or network activity on the same host within short time windows.
  • Deploy YARA rules against email gateways to flag Office documents containing malformed structures or known exploit patterns from the Packet Storm proofs of concept.

Monitoring Recommendations

  • Monitor Office build versions across the fleet to identify hosts still running pre-April 2023 builds vulnerable to CVE-2023-28285.
  • Enable Microsoft Defender Attack Surface Reduction (ASR) rules and log all blocked events that prevent Office child process creation.
  • Forward Office application logs and macOS Unified Logs to a central SIEM for correlation against threat intelligence on Office exploit campaigns.

How to Mitigate CVE-2023-28285

Immediate Actions Required

  • Apply the April 2023 Microsoft security update for Microsoft 365 Apps, Office 2019 for macOS, and Office LTSC 2021 for macOS as documented in the Microsoft Security Update Guide.
  • Inventory all endpoints running Microsoft Office and prioritize patching for systems where users handle external documents.
  • Enable Protected View and Office macro restrictions for documents originating from the internet or email attachments.

Patch Information

Microsoft published the official fix on April 11, 2023 through the standard Patch Tuesday channel. Administrators should deploy the update via Microsoft Update, Microsoft Endpoint Manager, or the Microsoft AutoUpdate tool on macOS. Refer to the Microsoft Security Update CVE-2023-28285 advisory for the exact build numbers per channel.

Workarounds

  • Block inbound email attachments with high-risk Office file extensions at the mail gateway until patching is complete.
  • Configure Office to open documents from untrusted locations in Protected View and disable automatic content activation.
  • Restrict user privileges so Office runs under a standard account, limiting the impact of any successful exploitation.
  • Enable Microsoft Defender ASR rules that block Office applications from creating child processes and writing executable content.
bash
# Configuration example - Enable ASR rules to block Office child process creation on Windows
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
Set-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne