CVE-2023-35378
📋 TL;DR
This vulnerability in Windows Projected File System allows attackers to elevate privileges on affected systems. It enables local authenticated users to gain SYSTEM-level access by exploiting a time-of-check-time-of-use (TOCTOU) race condition. Only Windows systems with Projected File System enabled are affected.
💻 Affected Systems
- Windows Projected File System
📦 What is this software?
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains SYSTEM privileges, enabling complete system compromise, data theft, persistence installation, and lateral movement across the network.
Likely Case
Local authenticated attacker elevates to SYSTEM privileges to install malware, steal credentials, or bypass security controls.
If Mitigated
With proper access controls and monitoring, impact limited to isolated system with quick detection and remediation.
🎯 Exploit Status
Requires local authenticated access and knowledge of Projected File System internals. Exploitation involves race condition timing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2023 security updates (KB5028185 for Windows 11, KB5028182 for Windows 10, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35378
Restart Required: Yes
Instructions:
1. Apply July 2023 Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Verify update installation with winver command.
🔧 Temporary Workarounds
Disable Projected File System
windowsDisable the Projected File System feature if not required for business operations.
Disable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart
🧯 If You Can't Patch
- Restrict local user access to systems with Projected File System enabled
- Implement application control policies to prevent unauthorized code execution
🔍 How to Verify
Check if Vulnerable:
Check if Projected File System is enabled: Get-WindowsOptionalFeature -Online -FeatureName Client-ProjFSCheck Version:
winver or systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify July 2023 security updates are installed: Get-HotFix -Id KB5028185, KB5028182, or related KB numbers📡 Detection & Monitoring
Log Indicators:
- Unusual Projected File System API calls
- Process creation with SYSTEM privileges from non-admin users
- Security event 4688 with elevated privileges
Network Indicators:
- Not applicable - local privilege escalation only
SIEM Query:
EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1938"