CVE-2023-35359
📋 TL;DR
This Windows kernel vulnerability allows an authenticated attacker to execute arbitrary code with SYSTEM privileges, potentially taking full control of the affected system. It affects Windows operating systems and requires an attacker to have initial access to the system.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with persistent backdoor installation, credential theft, lateral movement across the network, and data exfiltration.
Likely Case
Local privilege escalation from a standard user account to SYSTEM privileges, enabling installation of malware, disabling security controls, or accessing sensitive data.
If Mitigated
Limited impact due to proper patch management, endpoint protection, and least privilege principles preventing initial access.
🎯 Exploit Status
Exploit requires local authenticated access. Proof-of-concept code has been published, making weaponization likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2023 security updates (KB5028166 for Windows 10, KB5028185 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35359
Restart Required: Yes
Instructions:
1. Apply July 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after patch installation.
🔧 Temporary Workarounds
Restrict local user privileges
windowsImplement least privilege principles to limit what authenticated users can do, reducing impact if exploited.
Enable exploit protection
windowsUse Windows Defender Exploit Guard or similar tools to add exploit mitigations.
🧯 If You Can't Patch
- Implement strict endpoint detection and response (EDR) to detect privilege escalation attempts
- Segment networks to limit lateral movement potential after exploitation
🔍 How to Verify
Check if Vulnerable:
Check if July 2023 security updates are installed via 'wmic qfe list' or 'systeminfo' command.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify KB5028166 (Windows 10) or KB5028185 (Windows 11) or equivalent Server patches are installed.📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4688 (process creation) showing unusual parent-child process relationships
- Unexpected SYSTEM privilege processes launched from user contexts
Network Indicators:
- Unusual outbound connections from systems after local exploitation
SIEM Query:
EventID=4688 AND NewProcessName="*" AND ParentProcessName="*" AND SubjectLogonId!=0x3e7 AND IntegrityLevel="System"