CVE-2023-29346

Q: What is the severity of CVE-2023-29346?

CVE-2023-29346 has a CVSS score of 7.8 (HIGH). This vulnerability allows an authenticated attacker to exploit a flaw in the NTFS filesystem driver to elevate privileges from a standard user account to SYSTEM level. It affects Windows systems where an attacker has local access and can execute code. The vulnerability requires the attacker to already have some level of access to the target system.

7.8 HIGH

📋 TL;DR

This vulnerability allows an authenticated attacker to exploit a flaw in the NTFS filesystem driver to elevate privileges from a standard user account to SYSTEM level. It affects Windows systems where an attacker has local access and can execute code. The vulnerability requires the attacker to already have some level of access to the target system.

💻 Affected Systems

Products:

Windows 10
Windows 11
Windows Server 2016
Windows Server 2019
Windows Server 2022

Versions: Various versions prior to May 2023 security updates

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with default NTFS configurations. Requires attacker to have local access and ability to execute code.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where an attacker gains SYSTEM privileges, enabling them to install programs, view/change/delete data, create new accounts, and bypass security controls.

🟠

Likely Case

Privilege escalation from a standard user account to SYSTEM, allowing attackers to bypass application restrictions, access sensitive system files, and maintain persistence.

🟢

If Mitigated

Limited impact if proper access controls, least privilege principles, and network segmentation are implemented, restricting lateral movement.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring authenticated access to the system.

🏢 Internal Only: HIGH - Significant risk in environments where users have local access to systems, especially in shared or multi-user environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and some technical knowledge. Proof-of-concept code has been published.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: May 2023 security updates (KB5026372 for Windows 10, KB5026373 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29346

Restart Required: Yes

Instructions:

1. Apply May 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after update installation.

🔧 Temporary Workarounds

Restrict local access

windows

Limit local user access to systems through proper access controls and least privilege principles.

Enable Windows Defender Exploit Guard

windows

Configure Exploit Guard to detect and block privilege escalation attempts.

🧯 If You Can't Patch

Implement strict access controls and least privilege for all user accounts
Monitor for privilege escalation attempts using security tools and audit logs

🔍 How to Verify

Check if Vulnerable:

Check if May 2023 security updates are installed via 'wmic qfe list' or 'Get-Hotfix -Id KB5026372' in PowerShell.

Check Version:

wmic os get caption,version,buildnumber

Verify Fix Applied:

Verify May 2023 security updates are installed and system has been restarted since installation.

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with suspicious process creation, Event ID 4672 (special privileges assigned), unexpected SYSTEM privilege usage

Network Indicators:

Lateral movement attempts from compromised systems

SIEM Query:

EventID=4688 AND NewProcessName CONTAINS 'cmd.exe' OR 'powershell.exe' AND SubjectUserName != SYSTEM AND TokenElevationType != %%1936

📊 Metadata

CVE ID: CVE-2023-29346

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-681

Published: June 14, 2023

Last Updated: April 8, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29346 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29346 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict local access

Enable Windows Defender Exploit Guard

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities