CVE-2023-36884: Windows 10 1507 RCE Vulnerability

CVE-2023-36884 Overview

CVE-2023-36884 is a remote code execution vulnerability affecting Microsoft Windows Search functionality across supported Windows client and server editions. An attacker can craft a malicious Microsoft Office document that, when opened by a victim, executes arbitrary code in the context of the user. The flaw is rooted in a race condition [CWE-362] and requires user interaction to trigger. CISA has added CVE-2023-36884 to its Known Exploited Vulnerabilities catalog, confirming active exploitation against organizations. EPSS scoring places this vulnerability in the top exploitation-likelihood tier, reflecting its continued use by financially motivated and state-aligned threat actors.

Critical Impact

Successful exploitation grants attackers arbitrary code execution as the victim user, enabling credential theft, lateral movement, and ransomware staging across Windows endpoints and servers.

Affected Products

• Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2) and Windows 11 (21H2, 22H2)
• Microsoft Windows Server 2008 SP2, 2008 R2 SP1, 2012, and 2012 R2
• Microsoft Windows Server 2016, 2019, and 2022

Discovery Timeline

• 2023-07-11 - CVE-2023-36884 published to the National Vulnerability Database by Microsoft
• 2025-10-28 - Last updated in NVD database

Technical Details for CVE-2023-36884

Vulnerability Analysis

The vulnerability resides in how Windows Search and related Office components process specially crafted documents referencing remote content. An attacker delivers a malicious .docx or .rtf file, typically via phishing email or attacker-controlled web content. When the victim opens the document, embedded objects reach out to attacker-controlled infrastructure and trigger code execution outside the expected security boundary.

The weakness is classified as a race condition [CWE-362], where parallel processing of document content and embedded references allows attackers to bypass Mark-of-the-Web protections and the Protected View sandbox. Public reporting has tied exploitation to the RomCom threat cluster, which has used the flaw in targeted campaigns against defense and government entities.

Root Cause

The root cause is improper synchronization when Windows Search and Office handle external references inside compound documents. The timing window between content validation and content retrieval permits attacker-controlled resources to load without the security checks normally applied to untrusted files.

Attack Vector

Exploitation is network-based but requires user interaction. The attacker must convince the target to open a weaponized Office document. Attack complexity is high because the exploit chain depends on race-condition timing and specific document structures. Once triggered, code executes with the privileges of the logged-on user, providing an initial foothold for follow-on operations.

No verified public proof-of-concept code is included in this advisory; refer to the Microsoft Security Update Guide and the Full Disclosure post for technical specifics.

Detection Methods for CVE-2023-36884

Indicators of Compromise

• Office processes (winword.exe, excel.exe) spawning cmd.exe, powershell.exe, mshta.exe, or rundll32.exe shortly after document open
• Outbound SMB or WebDAV connections from Office processes to external IP addresses or hostnames
• Creation of files in %TEMP% or %APPDATA% containing .url, .rtf, or .lnk payloads following document interaction
• Network connections to known RomCom or Storm-0978 infrastructure documented in vendor threat intelligence reporting

Detection Strategies

• Hunt for Office applications loading remote content via WebDAV or SMB, especially on TCP/445 and TCP/80 to non-corporate destinations
• Detect anomalous child-process chains where Office binaries spawn scripting interpreters or LOLBins
• Correlate document-open events with subsequent process injection or credential-access telemetry

Monitoring Recommendations

• Enable Microsoft Defender Attack Surface Reduction (ASR) rules that block Office from creating child processes and writing executable content
• Forward Sysmon and Windows Security event logs to a centralized analytics platform for cross-host correlation
• Monitor egress traffic from end-user workstations to flag unexpected outbound SMB or WebDAV sessions

How to Mitigate CVE-2023-36884

Immediate Actions Required

• Apply the August 2023 Microsoft security updates that address CVE-2023-36884 across all affected Windows and Office builds
• Enable the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry mitigation if patching is delayed
• Block inbound and outbound SMB (TCP/445) at the network perimeter to prevent remote payload retrieval
• Train users to report unexpected document attachments and disable macros by default

Patch Information

Microsoft has issued cumulative security updates that remediate CVE-2023-36884. Administrators should consult the Microsoft Security Update Guide for CVE-2023-36884 for the specific KB articles applicable to each Windows version and ensure systems are updated to the latest cumulative release.

Workarounds

• Add Microsoft Office processes (Excel.exe, Graph.exe, MSAccess.exe, MSPub.exe, PowerPoint.exe, Visio.exe, WinProj.exe, WinWord.exe, Wordpad.exe) to the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as documented by Microsoft
• Configure Group Policy to enforce Protected View and block macro execution from files originating on the internet
• Restrict outbound SMB and WebDAV traffic at the firewall to limit remote template and object retrieval

# Registry mitigation example (apply per Microsoft guidance)
reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" /v Excel.exe /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" /v WinWord.exe /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" /v PowerPoint.exe /t REG_DWORD /d 1 /f