CVE-2023-36033 Overview
CVE-2023-36033 is an elevation of privilege vulnerability in the Windows Desktop Window Manager (DWM) Core Library. A local, authenticated attacker can exploit the flaw to gain SYSTEM privileges on affected Windows hosts. Microsoft addressed the issue in its November 2023 Patch Tuesday release. CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog after confirming active in-the-wild exploitation, often paired with initial access malware to escalate privileges on compromised endpoints. The vulnerability is tracked under [CWE-822] (untrusted pointer dereference) and [CWE-119] (improper restriction of operations within memory buffer bounds).
Critical Impact
Local attackers with low-privileged access can escalate to SYSTEM on unpatched Windows 10, Windows 11, and Windows Server systems, with confirmed exploitation in the wild.
Affected Products
- Microsoft Windows 10 (1809, 21H2, 22H2) on x86, x64, and ARM64
- Microsoft Windows 11 (21H2, 22H2, 23H2) on x64 and ARM64
- Microsoft Windows Server 2019, Windows Server 2022, and Windows Server 2022 23H2
Discovery Timeline
- 2023-11-14 - CVE-2023-36033 published to NVD and addressed in Microsoft's November Patch Tuesday
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2023-36033
Vulnerability Analysis
The vulnerability resides in the Windows Desktop Window Manager (DWM) Core Library (dwmcore.dll), the user-mode component responsible for compositing graphical elements rendered by applications. DWM runs with elevated privileges and processes input from lower-privileged user sessions, creating an attractive target for local privilege escalation.
Exploitation allows an authenticated local user to execute code in the context of the DWM process and elevate to SYSTEM. Confidentiality, integrity, and availability are all impacted because SYSTEM-level access grants full control over the operating system, including the ability to install programs, modify data, and create new accounts.
No user interaction is required beyond running the exploit binary. The flaw is frequently chained with a separate initial access vector, such as a phishing payload or commodity loader, to convert a low-privilege foothold into full host compromise.
Root Cause
The vulnerability is classified under [CWE-822] (untrusted pointer dereference) and [CWE-119] (improper restriction of operations within the bounds of a memory buffer). DWM Core fails to properly validate a pointer or memory boundary when handling specific compositing operations, allowing an attacker-controlled value to influence memory access in the privileged process.
Attack Vector
The attack vector is local. An attacker must already be able to execute code on the target system as an authenticated user with low privileges. The attacker triggers the vulnerable code path in DWM by invoking crafted graphical or window-management operations, corrupting memory within the privileged process to redirect execution and elevate privileges to SYSTEM.
No verified public proof-of-concept code is referenced in the advisory. Refer to the Microsoft Security Response Center advisory for vendor technical details.
Detection Methods for CVE-2023-36033
Indicators of Compromise
- Unexpected child processes spawned by dwm.exe running under the SYSTEM account, particularly command shells (cmd.exe, powershell.exe) or LOLBins.
- Crashes, abnormal terminations, or repeated restarts of dwm.exe recorded in Windows Application or System event logs prior to suspicious activity.
- New SYSTEM-level processes appearing shortly after a low-privileged user logon, with no corresponding administrative action.
Detection Strategies
- Hunt for anomalous parent-child process relationships where dwm.exe spawns interactive or scripting binaries, which is not expected behavior.
- Monitor for SYSTEM-token process creation following a session by a non-administrative user, which is a common signature of local privilege escalation chains.
- Correlate suspicious dwm.exe behavior with prior delivery of known loaders or droppers associated with CISA KEV-listed campaigns.
Monitoring Recommendations
- Enable Windows Sysmon Event ID 1 (process creation) and Event ID 10 (process access) to capture handle requests against dwm.exe and downstream process launches.
- Forward endpoint telemetry to a SIEM or data lake and build identification rules around DWM behavioral baselines.
- Audit privileged token usage with Windows Event ID 4672 to flag low-privileged accounts that abruptly acquire SeDebugPrivilege or SeTcbPrivilege.
How to Mitigate CVE-2023-36033
Immediate Actions Required
- Apply the November 2023 Microsoft security updates to all affected Windows 10, Windows 11, and Windows Server hosts immediately. The CVE is on the CISA KEV catalog and requires prioritized remediation for federal agencies.
- Inventory endpoints to confirm patch coverage, with focus on workstations used by privileged administrators and high-value servers.
- Restrict local logon rights and remove unnecessary local administrator accounts to reduce the attacker footprint required to chain this flaw with initial access.
Patch Information
Microsoft released a fix for CVE-2023-36033 as part of the November 14, 2023 Patch Tuesday cycle. Update details and KB articles for each affected Windows build are available in the Microsoft CVE-2023-36033 advisory. The CISA Known Exploited Vulnerabilities Catalog lists this CVE with a remediation deadline for U.S. federal agencies.
Workarounds
- No vendor-supplied workaround exists. Patching is the only supported mitigation.
- Apply application allow-listing (for example, Windows Defender Application Control or AppLocker) to block execution of unknown binaries that could deliver the exploit.
- Enforce least privilege and require multi-factor authentication for any account capable of local interactive logon to limit attacker access prior to escalation.
# Verify the November 2023 cumulative update is installed (example for Windows 11 22H2)
wmic qfe list brief /format:table | findstr /i "KB5032190"
# Alternatively, query installed updates via PowerShell
Get-HotFix | Where-Object { $_.InstalledOn -ge (Get-Date '2023-11-14') } | Sort-Object InstalledOn -Descending
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
