Login Sign Up

CVE-2023-27469

7.1 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Malwarebytes Anti-Exploit allows attackers to delete arbitrary files or cause denial of service by sending specially crafted ALPC messages. It affects users running Malwarebytes Anti-Exploit 4.4.0.220 on Windows systems.

💻 Affected Systems

Products:
  • Malwarebytes Anti-Exploit
Versions: 4.4.0.220
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the specific version 4.4.0.220 of Malwarebytes Anti-Exploit. Other versions and Malwarebytes products are not affected.

📦 What is this software?

Anti Exploit by Malwarebytes

View all CVEs affecting Anti Exploit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, potentially leading to permanent data loss or system instability requiring reinstallation.

🟠

Likely Case

Local denial of service through deletion of user files or application files, disrupting normal operations and requiring file restoration.

🟢

If Mitigated

Limited impact if proper file permissions and access controls are in place, potentially only affecting non-critical user files.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.
🏢 Internal Only: MEDIUM - Malicious insiders or compromised accounts with local access could exploit this to disrupt systems or delete important files.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access to the system and knowledge of ALPC message crafting. No public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.0.221 or later

Vendor Advisory: https://www.malwarebytes.com/secure/cves/cve-2023-27469

Restart Required: Yes

Instructions:

1. Open Malwarebytes Anti-Exploit. 2. Check for updates in settings. 3. Install available updates. 4. Restart the system to ensure complete patch application.

🔧 Temporary Workarounds

Disable Malwarebytes Anti-Exploit

windows

Temporarily disable the vulnerable component until patching can be completed

Right-click Malwarebytes Anti-Exploit system tray icon → Select 'Disable Protection'

🧯 If You Can't Patch

  • Implement strict file permissions and access controls to limit potential damage from arbitrary file deletion
  • Monitor for suspicious ALPC communication and file deletion activities using endpoint detection tools

🔍 How to Verify

Check if Vulnerable:

Check Malwarebytes Anti-Exploit version in the application interface or via 'About' section. If version is exactly 4.4.0.220, the system is vulnerable.

Check Version:

Check application version in Malwarebytes Anti-Exploit GUI under Help → About

Verify Fix Applied:

Verify the version has been updated to 4.4.0.221 or later in the application interface.

📡 Detection & Monitoring

Log Indicators:

  • Unusual ALPC communication patterns
  • Unexpected file deletion events in system logs
  • Malwarebytes Anti-Exploit crash logs

Network Indicators:

  • Local ALPC traffic patterns (difficult to monitor externally)

SIEM Query:

EventID:4663 OR EventID:4656 with TargetObject containing suspicious file paths AND ProcessName containing 'mbae'

📊 Metadata

CVE ID: CVE-2023-27469
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-59
Published: June 30, 2023
Last Updated: November 26, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27469, you might also want to check these:

CVE-2024-37143 10.0

This CVE describes an Improper Link Resolution Before File Access vulnerability in multiple Dell Pow...

Same vulnerability type (CWE-59)
CVE-2024-28185 10.0

CVE-2024-28185 is a critical symlink vulnerability in Judge0 that allows attackers to write arbitrar...

Same vulnerability type (CWE-59)
CVE-2024-48862 9.8

CVE-2024-48862 is a path traversal vulnerability in QNAP's QuLog Center that allows remote attackers...

Same vulnerability type (CWE-59)