CVE-2023-28250
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on affected Windows systems by sending specially crafted PGM (Pragmatic General Multicast) packets. It affects Windows systems with the PGM protocol enabled, primarily servers using Windows Server editions. Attackers can exploit this without authentication to gain SYSTEM-level privileges.
💻 Affected Systems
- Windows Server 2008
- Windows Server 2012
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows 10
- Windows 11
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling attackers to install malware, steal data, create backdoors, or pivot to other systems in the network.
Likely Case
Remote code execution leading to ransomware deployment, data exfiltration, or botnet recruitment of vulnerable systems.
If Mitigated
Limited impact if systems are patched, network segmentation is in place, and PGM protocol is disabled on internet-facing systems.
🎯 Exploit Status
Exploitation requires sending specially crafted PGM packets to vulnerable systems; no authentication required
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: April 2023 security updates (KB5025229, KB5025230, etc. depending on Windows version)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28250
Restart Required: Yes
Instructions:
1. Apply April 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after patch installation.
🔧 Temporary Workarounds
Disable PGM Protocol
windowsDisables the Pragmatic General Multicast protocol to prevent exploitation
netsh interface ipv4 set global mldlevel=none
netsh interface ipv6 set global mldlevel=none
Block PGM Ports
windowsBlocks network traffic on PGM ports to prevent remote exploitation
netsh advfirewall firewall add rule name="Block PGM" dir=in action=block protocol=udp localport=3010,3011,3012 remoteport=any
🧯 If You Can't Patch
- Disable PGM protocol on all affected systems using administrative tools or registry settings
- Implement network segmentation to isolate systems with PGM enabled from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if PGM protocol is enabled: Run 'netsh interface ipv4 show global' and look for 'Multicast Level' setting. If set to anything other than 'none', system may be vulnerable if unpatched.Check Version:
wmic qfe get hotfixid | findstr KB5025229Verify Fix Applied:
Verify April 2023 security updates are installed: Run 'systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"Hotfix(s)"' and check for KB5025229 or later patches.📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4688 (process creation) from unexpected sources
- Event ID 4625 (failed logon) with source network address
- Unexpected service creation or modification events
Network Indicators:
- Unusual UDP traffic on ports 3010-3012 (PGM ports)
- Spike in multicast traffic from external sources
- Network scans targeting PGM ports
SIEM Query:
source="windows_security" event_id=4688 OR event_id=4625 | where dest_port=3010 OR dest_port=3011 OR dest_port=3012