CVE-2023-35347
📋 TL;DR
This vulnerability allows attackers to elevate privileges on Windows systems by exploiting a flaw in the Microsoft Install Service. Attackers with local access can execute arbitrary code with SYSTEM privileges, affecting all Windows systems running vulnerable versions.
💻 Affected Systems
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install unauthorized software, and access sensitive system resources.
If Mitigated
Limited impact if proper access controls and least privilege principles are enforced, though local attackers could still gain elevated privileges.
🎯 Exploit Status
Requires local access to the system. The vulnerability is in the Windows Install Service component.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2023 security updates (KB5028166 for Windows 10, KB5028185 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35347
Restart Required: Yes
Instructions:
1. Apply July 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart systems after update installation.
🔧 Temporary Workarounds
Disable Windows Install Service
windowsTemporarily disable the vulnerable service to prevent exploitation
sc config msiserver start= disabled
net stop msiserver
Restrict service permissions
windowsModify service permissions to limit who can interact with Windows Install Service
sc sdset msiserver D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
🧯 If You Can't Patch
- Implement strict access controls and least privilege principles
- Monitor for suspicious service manipulation and privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Windows version and compare with patched versions. Systems without July 2023 security updates are vulnerable.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history shows July 2023 security updates installed, or check system version matches patched versions.📡 Detection & Monitoring
Log Indicators:
- Event ID 4697: Service installed in the system
- Unusual service creation or modification events
- Windows Install Service activity from non-standard accounts
Network Indicators:
- No network indicators - local privilege escalation only
SIEM Query:
EventID=4697 OR (EventID=7045 AND ServiceName="msiserver")