CVE-2023-28297
📋 TL;DR
This vulnerability in Windows Remote Procedure Call Service allows an authenticated attacker to execute code with SYSTEM privileges by exploiting a use-after-free condition. It affects Windows systems with RPCSS service running, primarily servers and workstations. Successful exploitation requires local access but can lead to complete system compromise.
💻 Affected Systems
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains SYSTEM privileges, enabling complete control over the system, installation of malware, credential theft, and lateral movement across the network.
Likely Case
Privilege escalation from a standard user or service account to SYSTEM, allowing attackers to bypass security controls and maintain persistence.
If Mitigated
Limited impact with proper network segmentation, least privilege accounts, and endpoint protection that detects privilege escalation attempts.
🎯 Exploit Status
Exploitation requires local authenticated access. Proof-of-concept code has been published, making weaponization likely in targeted attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: April 2023 security updates (KB5025221, KB5025239, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28297
Restart Required: Yes
Instructions:
1. Apply April 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after patch installation.
🔧 Temporary Workarounds
Restrict RPCSS Service Access
windowsLimit which users can interact with RPCSS service through Windows Firewall and service permissions
netsh advfirewall firewall add rule name="Block RPCSS" dir=in action=block protocol=TCP localport=135,445,593
sc sdset rpcss D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
🧯 If You Can't Patch
- Implement strict network segmentation to limit lateral movement from compromised systems
- Enforce least privilege access controls and monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Windows version and compare with patched versions. Systems without April 2023 security updates are vulnerable.Check Version:
wmic os get Caption,Version,BuildNumberVerify Fix Applied:
Verify Windows Update history shows April 2023 security updates installed, or check system version is post-April 2023.📡 Detection & Monitoring
Log Indicators:
- Event ID 4688: New process creation with SYSTEM privileges from non-SYSTEM accounts
- Event ID 4672: Special privileges assigned to new logon
- RPCSS service crashes or unexpected behavior
Network Indicators:
- Unusual RPC traffic patterns, especially to/from RPCSS service
- Multiple failed RPC authentication attempts followed by successful privileged access
SIEM Query:
source="windows-security" event_id=4688 OR event_id=4672 | where process_name contains "cmd.exe" OR "powershell.exe" | where user_name != "SYSTEM" | where parent_process_name contains "svchost.exe"