CVE-2023-35387
📋 TL;DR
This vulnerability in the Windows Bluetooth A2DP driver allows an attacker to gain SYSTEM-level privileges on affected systems. It affects Windows devices with Bluetooth capabilities, requiring local access to exploit. Attackers can escalate from a lower-privileged user account to complete system control.
💻 Affected Systems
- Windows 10
- Windows 11
- Windows Server 2022
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, persistence mechanisms, and lateral movement across the network.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install backdoors, access sensitive system files, and maintain persistence on compromised machines.
If Mitigated
Limited impact with proper network segmentation, endpoint protection, and least privilege principles in place, though local compromise remains possible.
🎯 Exploit Status
Requires local access and some user interaction. Exploitation details not publicly disclosed as of knowledge cutoff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2023 security updates (KB5028166 for Windows 10, KB5028185 for Windows 11)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35387
Restart Required: Yes
Instructions:
1. Apply July 2023 Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS, Microsoft Endpoint Configuration Manager, or Microsoft Intune. 3. Verify installation in Windows Update history.
🔧 Temporary Workarounds
Disable Bluetooth
windowsTemporarily disable Bluetooth functionality to prevent exploitation
Disable via Settings > Bluetooth & devices > Bluetooth toggle
PowerShell: Disable-WindowsOptionalFeature -Online -FeatureName "Bluetooth"
Device Manager: Right-click Bluetooth adapter > Disable device
🧯 If You Can't Patch
- Implement strict network segmentation to limit lateral movement from compromised systems
- Enforce least privilege principles and monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if July 2023 security updates are installed via Windows Update history or systeminfo commandCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify KB5028166 (Windows 10) or KB5028185 (Windows 11) is installed in Windows Update history📡 Detection & Monitoring
Log Indicators:
- Event ID 4688: New process creation with SYSTEM privileges from non-SYSTEM accounts
- Security log entries showing privilege escalation attempts
- Bluetooth service anomalies
Network Indicators:
- Unusual Bluetooth connection attempts from unexpected devices
- Lateral movement from previously compromised hosts
SIEM Query:
EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1936"