CVE-2023-35322
📋 TL;DR
CVE-2023-35322 is a remote code execution vulnerability in Windows Deployment Services (WDS) that allows an unauthenticated attacker to execute arbitrary code with SYSTEM privileges on affected servers. This affects organizations using Windows Deployment Services for network-based operating system deployment. The vulnerability is particularly dangerous because it can be exploited without authentication.
💻 Affected Systems
- Windows Deployment Services
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the WDS server with SYSTEM privileges, enabling lateral movement across the network, data exfiltration, ransomware deployment, and persistent backdoor installation.
Likely Case
Attacker gains full control of the WDS server, potentially compromising PXE boot images and using the server as a pivot point to attack other systems on the network.
If Mitigated
Limited impact due to network segmentation, proper access controls, and monitoring that detects exploitation attempts before successful compromise.
🎯 Exploit Status
Microsoft has confirmed the vulnerability is being exploited in the wild. The attack requires network access to the WDS server's TFTP port (typically UDP 69).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply July 2023 or later security updates for Windows Server
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35322
Restart Required: Yes
Instructions:
1. Apply the latest Windows Server security updates from Microsoft Update. 2. Restart the server after installation. 3. Verify the patch is applied by checking system updates history.
🔧 Temporary Workarounds
Disable Windows Deployment Services
windowsRemove or disable the WDS role if not required for operations
Remove-WindowsFeature -Name WDS
Block TFTP port at network perimeter
allBlock UDP port 69 (TFTP) at firewalls to prevent external exploitation
🧯 If You Can't Patch
- Segment WDS servers from critical network segments and implement strict network access controls
- Monitor for unusual TFTP traffic patterns and failed exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check if Windows Deployment Services role is installed and if July 2023 security updates are not appliedCheck Version:
Get-WindowsFeature -Name WDSVerify Fix Applied:
Verify July 2023 or later security updates are installed via Windows Update history or Get-HotFix PowerShell command📡 Detection & Monitoring
Log Indicators:
- Unusual TFTP request patterns in Windows Event Logs
- Failed WDS service starts or crashes
Network Indicators:
- Unusual TFTP traffic to WDS servers, especially from unexpected sources
- TFTP requests with abnormal packet sizes or patterns
SIEM Query:
source="WinEventLog:Security" EventID=4688 AND (ProcessName="*wds*" OR CommandLine="*wds*")