CVE-2023-36010 Overview
CVE-2023-36010 is a denial of service vulnerability in the Microsoft Malware Protection Platform, the engine underlying Microsoft Defender. An unauthenticated attacker can trigger the flaw over the network without user interaction, causing the Defender service to become unavailable. Microsoft published the advisory on December 12, 2023, and the issue carries a CVSS 3.1 base score of 7.5 with high availability impact.
Loss of Defender availability removes endpoint anti-malware coverage, creating a window for follow-on attacks while the protection layer is degraded or offline.
Critical Impact
A network-reachable attacker can disable Microsoft Defender protection without credentials or user interaction, removing real-time anti-malware coverage on affected hosts.
Affected Products
- Microsoft Malware Protection Platform
- Microsoft Defender Antivirus (engine component)
- Windows endpoints running affected Defender platform versions
Discovery Timeline
- 2023-12-12 - Microsoft published security advisory for CVE-2023-36010
- 2023-12-12 - CVE-2023-36010 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-36010
Vulnerability Analysis
CVE-2023-36010 is a denial of service condition in the Microsoft Malware Protection Platform, the runtime component that drives Defender scanning and signature processing. The flaw allows a remote, unauthenticated actor to disrupt the availability of the anti-malware service. Confidentiality and integrity are not impacted, but availability is fully compromised when the condition is triggered.
Microsoft has not published low-level technical details, and the CWE classification is recorded as NVD-CWE-noinfo. The advisory indicates the attack reaches the platform over the network with low complexity and without privileges or user action.
The EPSS probability sits at 3.324% (87.4 percentile), reflecting elevated relative interest compared with most CVEs despite no public exploit code at this time.
Root Cause
The root cause is not publicly documented. Microsoft attributes the issue to processing logic within the Malware Protection Platform that can be driven into a failure state by crafted input reachable through normal Defender scanning paths. Refer to the Microsoft Security Update CVE-2023-36010 advisory for vendor-supplied detail.
Attack Vector
The attack vector is network. An attacker delivers content that Defender inspects — for example, files traversing a network share, email gateway, or web download path — and that content triggers the unavailability condition in the scanning engine. No authentication or user interaction is required.
No verified proof-of-concept code is publicly available. The vulnerability is described in prose only, consistent with Microsoft's standard advisory disclosure for Defender platform issues.
Detection Methods for CVE-2023-36010
Indicators of Compromise
- Unexpected termination or repeated restarts of MsMpEng.exe or the WinDefend service
- Microsoft Defender platform version older than the patched build deployed across managed endpoints
- Sudden gaps in Defender telemetry or signature update reporting from otherwise healthy hosts
Detection Strategies
- Query endpoint inventory for the Defender platform version and flag hosts running pre-patch builds
- Alert on Windows Event Log entries from the Microsoft-Windows-Windows Defender/Operational channel indicating engine crashes or service stops
- Correlate Defender service unavailability with inbound network activity or new files written immediately prior to the failure
Monitoring Recommendations
- Track health state of WinDefend and the Defender real-time protection component across the fleet
- Monitor for Defender platform update failures and surface hosts that fall behind on engine versions
- Forward Defender operational events to a centralized log platform for fleet-wide trend analysis
How to Mitigate CVE-2023-36010
Immediate Actions Required
- Confirm Microsoft Malware Protection Platform is updated to the version listed in the Microsoft Security Update CVE-2023-36010 advisory
- Verify that Defender platform updates are not blocked by group policy, WSUS approval gaps, or network filtering
- Re-enable real-time protection on any host where it is found stopped and investigate the cause
Patch Information
Microsoft addressed CVE-2023-36010 through an update to the Malware Protection Platform delivered via the standard Defender update channel. Endpoints receiving regular Defender platform updates typically install the fix automatically. Confirm deployment using the vendor advisory at Microsoft Security Update CVE-2023-36010.
Workarounds
- No vendor-supplied workaround exists; applying the Defender platform update is the supported remediation
- Restrict untrusted inbound content paths (email attachments, external file shares) until patch deployment is verified
- Use configuration management to force Defender platform update checks on hosts that report outdated versions
# Verify Microsoft Defender platform version on Windows
Get-MpComputerStatus | Select-Object AMEngineVersion, AMProductVersion, AMServiceVersion, NISEngineVersion
# Force a Defender signature and platform update
Update-MpSignature
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
