CVE-2023-24903
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running vulnerable versions of the Secure Socket Tunneling Protocol (SSTP) service. Attackers can exploit this without authentication by sending specially crafted packets to the SSTP service. All Windows systems with SSTP enabled are potentially affected.
💻 Affected Systems
- Windows Server
- Windows Client
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM/administrator privileges, enabling attackers to install malware, steal data, pivot to other systems, or establish persistent access.
Likely Case
Remote code execution leading to ransomware deployment, credential theft, or installation of backdoors on vulnerable systems.
If Mitigated
Limited impact due to network segmentation, proper patching, and disabled SSTP service where not required.
🎯 Exploit Status
Microsoft has not disclosed technical details, but the CVSS score and description suggest reliable exploitation is possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates released in May 2023 (KB5026372 for Windows 10, KB5026370 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24903
Restart Required: Yes
Instructions:
1. Apply the May 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart affected systems after patching.
🔧 Temporary Workarounds
Disable SSTP Service
windowsDisables the SSTP service to prevent exploitation if SSTP functionality is not required.
sc config SstpSvc start= disabled
sc stop SstpSvc
Block SSTP Ports
windowsBlocks network access to SSTP ports (TCP 443) at firewall level.
netsh advfirewall firewall add rule name="Block SSTP" dir=in action=block protocol=TCP localport=443
🧯 If You Can't Patch
- Implement network segmentation to isolate systems with SSTP enabled
- Deploy intrusion detection/prevention systems to monitor for SSTP exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check if SSTP service is running and system has not applied May 2023 security updates.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify that May 2023 security updates are installed and SSTP service is either patched or disabled.📡 Detection & Monitoring
Log Indicators:
- Event ID 4625 (failed logon) from SSTP service
- Unexpected process creation from svchost.exe hosting SSTP
Network Indicators:
- Unusual SSTP traffic patterns
- Multiple connection attempts to TCP port 443 from external sources
SIEM Query:
source="windows" AND (event_id=4625 AND process_name="SstpSvc") OR (process_name="svchost.exe" AND command_line="*SstpSvc*")