CVE-2023-35363
📋 TL;DR
This Windows kernel vulnerability allows attackers to elevate privileges from a lower-privileged account to SYSTEM-level access. It affects Windows operating systems and requires local access to exploit. Attackers must already have some level of access to the target system.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of malware, credential theft, persistence mechanisms, and lateral movement across the network.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install backdoors, or access sensitive data on compromised systems.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and network segmentation are implemented.
🎯 Exploit Status
Requires local access and some level of existing privileges. CWE-122 indicates heap-based buffer overflow vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2023 security updates (KB5028166 for Windows 10, KB5028185 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35363
Restart Required: Yes
Instructions:
1. Open Windows Update settings. 2. Check for updates. 3. Install July 2023 security updates. 4. Restart the system when prompted.
🔧 Temporary Workarounds
Restrict local access
windowsLimit local user accounts and implement strict access controls to reduce attack surface.
Enable Windows Defender Exploit Guard
windowsUse exploit protection to make exploitation more difficult.
🧯 If You Can't Patch
- Implement strict least privilege principles for all user accounts
- Deploy endpoint detection and response (EDR) solutions with behavioral monitoring
🔍 How to Verify
Check if Vulnerable:
Check Windows Update history for July 2023 security updates or use: wmic qfe list | findstr KB5028166 (or relevant KB for your OS)Check Version:
winverVerify Fix Applied:
Verify July 2023 security updates are installed via Windows Update history or Settings > Update & Security > View update history📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with unusual parent processes
- Unexpected privilege escalation events in Security logs
- Suspicious kernel-mode driver loading
Network Indicators:
- Unusual outbound connections from systems after local compromise
- Lateral movement attempts from previously compromised hosts
SIEM Query:
EventID=4688 AND (NewProcessName="*cmd.exe" OR NewProcessName="*powershell.exe") AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1938"