CVE-2023-35361
📋 TL;DR
This Windows kernel vulnerability allows an authenticated attacker to execute arbitrary code with SYSTEM privileges, potentially taking full control of affected systems. It affects Windows 10, Windows 11, and Windows Server versions. Attackers need local access to exploit this privilege escalation flaw.
💻 Affected Systems
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining SYSTEM privileges, installing persistent malware, accessing all data, and pivoting to other systems.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional malware, or access protected resources.
If Mitigated
Limited impact if proper access controls, least privilege principles, and endpoint protection are implemented.
🎯 Exploit Status
Exploitation requires local access and authentication. No public exploit code has been released as of knowledge cutoff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2023 security updates (KB5028185 for Windows 10, KB5028182 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35361
Restart Required: Yes
Instructions:
1. Apply July 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after update installation.
🔧 Temporary Workarounds
Restrict local access
windowsLimit who has local login privileges to essential personnel only
Implement least privilege
windowsEnsure users operate with minimal necessary privileges
🧯 If You Can't Patch
- Implement strict access controls and monitor for privilege escalation attempts
- Deploy endpoint detection and response (EDR) solutions to detect exploitation behavior
🔍 How to Verify
Check if Vulnerable:
Check Windows Update history for July 2023 security updates or run 'systeminfo' command and verify build number is patched.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify KB5028185 (Windows 10) or KB5028182 (Windows 11) is installed via 'wmic qfe list' or PowerShell 'Get-HotFix -Id KB5028185'.📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 (process creation) with unusual parent-child relationships
- Security log events showing privilege escalation
Network Indicators:
- Unusual outbound connections from system processes
SIEM Query:
EventID=4688 AND (ParentProcessName="*cmd.exe" OR ParentProcessName="*powershell.exe") AND NewProcessName="*\system32\*"