CVE-2023-36874 Overview
CVE-2023-36874 is an elevation of privilege vulnerability affecting the Windows Error Reporting (WER) Service across a wide range of Microsoft Windows operating systems. This vulnerability allows an attacker with local access and low-level privileges to escalate their permissions to SYSTEM-level access, effectively gaining complete control over the affected system.
The Windows Error Reporting Service is a core Windows component responsible for collecting and reporting application crash data to Microsoft. Due to improper handling of symbolic links (symlinks), the service can be manipulated to perform privileged operations on arbitrary files, enabling attackers to elevate their privileges from a standard user account to SYSTEM.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Successful exploitation grants attackers SYSTEM-level privileges, enabling complete system compromise, data exfiltration, and lateral movement within enterprise networks.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 21H2, 22H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022
Discovery Timeline
- July 11, 2023 - CVE-2023-36874 published to NVD
- October 28, 2025 - Last updated in NVD database
Technical Details for CVE-2023-36874
Vulnerability Analysis
This elevation of privilege vulnerability resides in the Windows Error Reporting Service (WerSvc), which runs with SYSTEM privileges. The vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink attack or link following vulnerability.
The WER Service processes error reports and crash dumps, performing file operations in directories that can be influenced by lower-privileged users. When the service follows symbolic links without proper validation, an attacker can redirect these operations to sensitive system locations, effectively hijacking the service's elevated privileges.
The local attack vector means an attacker must first gain code execution on the target system, typically through phishing, drive-by downloads, or exploitation of other vulnerabilities. Once local access is established, the attacker can leverage this vulnerability to escalate from a standard user to SYSTEM privileges without requiring user interaction.
Root Cause
The root cause of CVE-2023-36874 is improper link resolution before file access (CWE-59). The Windows Error Reporting Service fails to adequately validate symbolic links before performing privileged file operations. When processing error reports, the service follows user-controlled symbolic links without verifying that the target destination is appropriate, allowing attackers to redirect file operations to arbitrary locations.
This type of symlink attack exploits the trust relationship between the high-privilege service and the file system paths it operates on. By creating specially crafted symbolic links in user-accessible directories, an attacker can manipulate the service into modifying or accessing files that should be protected from non-privileged users.
Attack Vector
The attack follows a local privilege escalation pattern typical of symlink vulnerabilities in Windows services:
- Initial Access: The attacker gains local access to the target system with standard user privileges
- Symlink Creation: The attacker creates a symbolic link in a directory accessible to the WER Service, pointing to a sensitive system location
- Trigger Service Operation: The attacker triggers the Windows Error Reporting Service to perform a file operation that follows the malicious symlink
- Privilege Escalation: The service, running as SYSTEM, performs the operation on the attacker-controlled target, enabling privilege escalation
The vulnerability has been observed being exploited in the wild by threat actors, and technical details including a proof-of-concept have been published on Packet Storm Security.
Detection Methods for CVE-2023-36874
Indicators of Compromise
- Unusual symbolic link creation in Windows Error Reporting directories such as C:\ProgramData\Microsoft\Windows\WER\
- Unexpected file operations by WerFault.exe or WerSvc targeting sensitive system directories
- Evidence of privilege escalation following crash report generation or error reporting activity
- Anomalous process creation chains originating from svchost.exe hosting the WER Service
Detection Strategies
- Monitor for symbolic link creation events in WER-related directories using Windows Security Event logs
- Deploy behavioral detection rules that identify WerSvc or WerFault.exe accessing files outside expected paths
- Implement endpoint detection for processes that spawn with SYSTEM privileges from unexpected parent processes
- Enable Sysmon logging with rules to capture file system operations by Windows Error Reporting components
Monitoring Recommendations
- Configure Windows Security auditing to capture file system link creation events (Event ID 4663 with access mask 0x100)
- Monitor C:\ProgramData\Microsoft\Windows\WER\ and related directories for suspicious symlink activity
- Enable process creation auditing to detect privilege escalation patterns following WER Service activity
- Integrate endpoint telemetry with SIEM platforms for correlation of WER-related anomalies across the environment
How to Mitigate CVE-2023-36874
Immediate Actions Required
- Apply the July 2023 Microsoft security updates immediately to all affected Windows systems
- Prioritize patching systems with CISA KEV compliance requirements, as this vulnerability has a mandated remediation deadline
- Audit systems for evidence of prior exploitation, including unexpected privilege escalation events
- Implement SentinelOne endpoint protection to detect and block exploitation attempts in real-time
Patch Information
Microsoft released security patches for this vulnerability as part of the July 2023 Patch Tuesday updates. The official security update guide is available from the Microsoft Security Response Center. Organizations should deploy these updates through their standard patch management processes, prioritizing internet-facing and high-value systems.
Given the vulnerability's inclusion in CISA's Known Exploited Vulnerabilities catalog, federal agencies and organizations following CISA guidance must remediate within the specified deadline. Additional information is available from the CISA KEV Catalog.
Workarounds
- Restrict local access to systems where possible, reducing the attack surface for local privilege escalation
- Implement application control policies to limit execution of untrusted code that could serve as an initial access vector
- Monitor and alert on unusual Windows Error Reporting Service activity as an interim detection measure
- Consider disabling the Windows Error Reporting Service on highly sensitive systems if the functionality is not required, though this may impact troubleshooting capabilities
# Temporarily disable Windows Error Reporting Service (use with caution)
sc config WerSvc start= disabled
sc stop WerSvc
# Re-enable after patching
sc config WerSvc start= demand
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
