CVE-2023-36563 Overview
CVE-2023-36563 is an information disclosure vulnerability affecting Microsoft WordPad across a wide range of Windows operating systems. This vulnerability allows attackers to disclose sensitive information from affected systems through specially crafted interactions with the WordPad application. The vulnerability has been confirmed as actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating significant real-world threat activity.
Critical Impact
This vulnerability is actively exploited in the wild and listed in CISA's Known Exploited Vulnerabilities catalog. Attackers can leverage this flaw to disclose NTLM hashes, potentially leading to credential theft and further network compromise.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 21H2, 22H2)
- Microsoft Windows Server 2008 (SP2 and R2 SP1)
- Microsoft Windows Server 2012 and 2012 R2
- Microsoft Windows Server 2016
- Microsoft Windows Server 2019
- Microsoft Windows Server 2022
Discovery Timeline
- October 10, 2023 - CVE-2023-36563 published to NVD
- October 28, 2025 - Last updated in NVD database
Technical Details for CVE-2023-36563
Vulnerability Analysis
This information disclosure vulnerability exists in Microsoft WordPad due to improper input validation (CWE-20). The vulnerability can be exploited when a user opens a maliciously crafted document or when an attacker convinces a user to interact with a specially crafted file. Upon successful exploitation, an attacker can disclose NTLM hashes from the target system.
The attack requires local access and user interaction, meaning an attacker must either trick a user into opening a malicious document or have already gained initial access to the target system. Once triggered, the vulnerability forces WordPad to initiate outbound SMB connections, leaking the user's NTLM credentials to an attacker-controlled server.
Root Cause
The root cause of CVE-2023-36563 is improper input validation within the Microsoft WordPad application. When processing Rich Text Format (RTF) documents, WordPad fails to properly sanitize OLE (Object Linking and Embedding) objects embedded within documents. This allows attackers to embed malicious OLE objects that, when processed, trigger outbound SMB authentication requests to attacker-controlled servers, resulting in NTLM hash disclosure.
Attack Vector
The attack vector is local, requiring user interaction to exploit. Attackers typically deliver malicious RTF documents via phishing emails or by hosting them on compromised websites. When a victim opens the crafted document in WordPad, the embedded OLE object triggers an SMB connection to an attacker-controlled server. The Windows operating system automatically attempts NTLM authentication to this remote server, disclosing the victim's NTLM hash. Attackers can then use these captured hashes for pass-the-hash attacks, offline password cracking, or NTLM relay attacks to gain unauthorized access to network resources.
The exploitation mechanism leverages WordPad's handling of OLE objects within RTF documents. When the malicious document is opened, WordPad processes the embedded object reference, which points to an attacker-controlled SMB share. See the Microsoft CVE-2023-36563 Update Guide for complete technical details.
Detection Methods for CVE-2023-36563
Indicators of Compromise
- Unexpected outbound SMB (port 445) connections from wordpad.exe to external IP addresses
- RTF documents containing suspicious OLE object references pointing to UNC paths
- Network traffic showing NTLM authentication attempts to unfamiliar or external hosts
- Presence of RTF files with embedded objects referencing external SMB shares
Detection Strategies
- Monitor wordpad.exe process for outbound network connections, particularly to port 445/SMB
- Implement network-level monitoring to detect NTLM authentication attempts to external IP addresses
- Deploy email gateway rules to scan and quarantine RTF attachments with suspicious OLE objects
- Use endpoint detection tools to alert on WordPad spawning unexpected network-related child processes
Monitoring Recommendations
- Enable Windows Security Event logging for NTLM authentication events (Event ID 4624, 4648)
- Configure firewall logging to capture outbound SMB connection attempts from desktop applications
- Implement network intrusion detection signatures for NTLM relay attack patterns
- Monitor for anomalous file downloads of RTF documents from untrusted sources
How to Mitigate CVE-2023-36563
Immediate Actions Required
- Apply the Microsoft security update released in October 2023 Patch Tuesday immediately
- Block outbound SMB traffic (port 445) at the network perimeter where possible
- Educate users about the risks of opening RTF documents from untrusted sources
- Consider blocking RTF attachments at the email gateway level
Patch Information
Microsoft has released security updates to address this vulnerability as part of the October 2023 Patch Tuesday release. Administrators should apply the appropriate security update for their Windows version immediately. Detailed patch information and download links are available in the Microsoft CVE-2023-36563 Update Guide. Given this vulnerability's inclusion in the CISA Known Exploited Vulnerabilities catalog, federal agencies are required to remediate by CISA-specified deadlines.
Workarounds
- Block outbound SMB connections from WordPad using Windows Firewall rules
- Configure Group Policy to disable NTLM authentication where operationally feasible
- Use alternative document viewers that are not affected by this vulnerability
- Implement network segmentation to limit the impact of credential disclosure
# Block outbound SMB from WordPad using Windows Firewall
netsh advfirewall firewall add rule name="Block WordPad SMB" dir=out action=block program="%ProgramFiles%\Windows NT\Accessories\wordpad.exe" protocol=tcp remoteport=445
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
