CVE-2023-25734 – This vulnerability allows attackers to craft ma... (How to Fix)

Q: How do I fix CVE-2023-25734?

1. Open the affected application (Firefox/Thunderbird). 2. Go to Help > About Firefox/Thunderbird. 3. Allow the application to check for and install updates. 4. Restart the application when prompted.

Q: What is the severity of CVE-2023-25734?

CVE-2023-25734 has a CVSS score of 8.1 (HIGH). This vulnerability allows attackers to craft malicious Windows .url shortcut files that, when downloaded and opened in Firefox on Windows, can trigger unauthorized network requests and potentially leak NTLM credentials to attacker-controlled servers. It affects Firefox, Thunderbird, and Firefox ESR on Windows operating systems only.

📋 TL;DR

This vulnerability allows attackers to craft malicious Windows .url shortcut files that, when downloaded and opened in Firefox on Windows, can trigger unauthorized network requests and potentially leak NTLM credentials to attacker-controlled servers. It affects Firefox, Thunderbird, and Firefox ESR on Windows operating systems only.

💻 Affected Systems

Products:

Firefox
Thunderbird
Firefox ESR

Versions: Firefox < 110, Thunderbird < 102.8, Firefox ESR < 102.8

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows operating systems. Linux and macOS are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

NTLM credential theft leading to lateral movement, privilege escalation, and domain compromise in enterprise environments.

🟠

Likely Case

Credential leakage to attacker-controlled servers, enabling further attacks against the compromised user.

🟢

If Mitigated

No impact if systems are patched or workarounds are implemented to block .url file execution.

🌐 Internet-Facing: MEDIUM - Requires user interaction to download and open malicious .url file, but common in phishing campaigns.

🏢 Internal Only: MEDIUM - Internal users could be tricked into opening malicious .url files via internal file shares or emails.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction to download and open a malicious .url file. No public exploit code has been disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 110, Thunderbird 102.8, Firefox ESR 102.8

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2023-05/

Restart Required: Yes

Instructions:

1. Open the affected application (Firefox/Thunderbird). 2. Go to Help > About Firefox/Thunderbird. 3. Allow the application to check for and install updates. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable .url file handling in Firefox

windows

Configure Firefox to not automatically handle .url files or prompt users before opening them.

about:config -> network.protocol-handler.expose.url -> set to false

Block .url file downloads

windows

Use endpoint protection or group policy to block download/execution of .url files from untrusted sources.

🧯 If You Can't Patch

Disable automatic opening of downloaded files in Firefox settings.
Educate users to never open .url files from untrusted sources.

🔍 How to Verify

Check if Vulnerable:

Check the application version in Help > About Firefox/Thunderbird. If version is below the patched version, the system is vulnerable.

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Verify the application version is at or above Firefox 110, Thunderbird 102.8, or Firefox ESR 102.8.

📡 Detection & Monitoring

Log Indicators:

Unexpected network connections to unknown IPs after .url file download
Firefox/Thunderbird process accessing remote SMB shares

Network Indicators:

NTLM authentication attempts to unexpected external IPs
SMB traffic to non-corporate destinations

SIEM Query:

source="firefox.log" AND (url_download OR .url) AND dest_ip NOT IN corporate_ips

📊 Metadata

CVE ID: CVE-2023-25734

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-601

Published: June 2, 2023

Last Updated: January 9, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1784451 Exploit,Issue Tracking,Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1809923 Issue Tracking,Permissions Required
https://bugzilla.mozilla.org/show_bug.cgi?id=1810143 Issue Tracking,Permissions Required
https://bugzilla.mozilla.org/show_bug.cgi?id=1812338 Issue Tracking,Permissions Required
https://www.mozilla.org/security/advisories/mfsa2023-05/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-06/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-07/ Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1784451 Exploit,Issue Tracking,Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1809923 Issue Tracking,Permissions Required
https://bugzilla.mozilla.org/show_bug.cgi?id=1810143 Issue Tracking,Permissions Required
https://bugzilla.mozilla.org/show_bug.cgi?id=1812338 Issue Tracking,Permissions Required
https://www.mozilla.org/security/advisories/mfsa2023-05/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-06/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-07/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25734, you might also want to check these: