CVE-2023-36568: Microsoft 365 Apps Privilege Escalation

CVE-2023-36568 Overview

CVE-2023-36568 is an elevation of privilege vulnerability in the Microsoft Office Click-to-Run (C2R) service. The flaw resides in link-following behavior [CWE-59], where the service follows a symbolic link or junction created by a low-privileged user. A local authenticated attacker who wins a race condition can leverage this behavior to perform file operations with higher privileges. Microsoft addressed the issue in the October 2023 security updates for Microsoft 365 Apps, Microsoft Office 2019, and Office LTSC 2021.

Critical Impact

Successful exploitation allows a local low-privileged user to elevate to higher privileges on the host, gaining the ability to read, modify, or delete protected files.

Affected Products

• Microsoft 365 Apps for Enterprise
• Microsoft Office 2019
• Microsoft Office LTSC 2021

Discovery Timeline

• 2023-10-10 - CVE-2023-36568 published to NVD and addressed in Microsoft's October 2023 Patch Tuesday
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-36568

Vulnerability Analysis

The Click-to-Run service is a streaming and virtualization technology that installs and updates Microsoft Office products. The service runs with SYSTEM privileges and performs file operations on paths writable by lower-privileged users. The vulnerability is categorized as a link-following issue [CWE-59], commonly referred to as a symbolic link or junction-based privilege escalation.

Exploitation requires local access and valid credentials on the target machine. The attack complexity is high because the attacker must reliably win a race condition between the privileged service's file access and the attacker's manipulation of the underlying path. Once won, the attacker redirects a privileged file operation to a target location of their choice, breaking the integrity boundary between the user and the SYSTEM account.

Root Cause

The underlying weakness stems from the Click-to-Run service performing file operations on user-controlled paths without adequately validating that the resolved target is not a symbolic link, junction, or hard link. When the service opens, writes, or deletes a file along such a redirected path, the privileged action is applied to an attacker-chosen location instead of the intended one.

Attack Vector

The attack requires local authenticated access. An attacker places a junction or symbolic link in a directory the Click-to-Run service will operate on, then triggers a service action such as repair, update, or configuration apply. When the service follows the link, it performs the privileged operation against a protected target like a file in Program Files or System32. The result is arbitrary file write, overwrite, or deletion as SYSTEM, which can be chained into full privilege escalation through DLL planting or service binary replacement.

No public proof-of-concept exploit is listed in Exploit-DB, and the issue is not present on the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.22%.

Detection Methods for CVE-2023-36568

Indicators of Compromise

• Creation of NTFS junctions or symbolic links inside Click-to-Run working directories under %ProgramData%\Microsoft\ClickToRun or per-user Office cache paths by non-administrative processes.
• Unexpected file writes or deletions in Program Files\Common Files\Microsoft Shared\ClickToRun performed shortly after a low-privileged user invokes Office repair or update flows.
• New or modified DLLs or executables in Office install directories that do not match Microsoft signing chains.

Detection Strategies

• Hunt for mklink, CreateSymbolicLink, or DeviceIoControl with FSCTL_SET_REPARSE_POINT issued by non-elevated processes targeting Office directories.
• Correlate OfficeClickToRun.exe file operations with prior reparse-point creation events from the same user session to identify race-condition exploitation.
• Alert on SYSTEM-context writes that land in user-writable paths immediately after a Click-to-Run task is triggered.

Monitoring Recommendations

• Enable Sysmon Event IDs 11 (FileCreate) and 15 (FileCreateStreamHash) with rules covering Office Click-to-Run paths and reparse point creation.
• Forward Windows Security and Sysmon telemetry to a central analytics platform and retain process-lineage data for at least 30 days to support race-condition investigations.
• Monitor for unsigned or unexpected modules loaded by OfficeClickToRun.exe to catch post-exploitation DLL planting.

How to Mitigate CVE-2023-36568

Immediate Actions Required

• Apply the October 2023 Microsoft security update for all affected Office channels, including Microsoft 365 Apps, Office 2019, and Office LTSC 2021.
• Inventory hosts running Click-to-Run installations and confirm the OfficeClickToRun.exe build number reflects the patched version through Account > About in any Office application.
• Restrict interactive logon on shared workstations and servers, since exploitation requires local authenticated access.

Patch Information

Microsoft released fixes through the standard Click-to-Run update channel. Refer to the Microsoft Security Update Guide for CVE-2023-36568 for the specific build numbers per channel. Force an update by running OfficeC2RClient.exe /update user from the Office install directory, or push updates through the Office Deployment Tool and Microsoft Intune.

Workarounds

• No official workaround exists. Patching is the only supported remediation.
• As a compensating control, remove local administrator rights from standard users and audit Office Click-to-Run cache directories for unexpected reparse points.
• Apply application control policies such as Windows Defender Application Control to block unsigned binaries from loading into the Office process tree.

# Force Click-to-Run update to the patched build
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /update user

# Verify installed Click-to-Run version
reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /v VersionToReport