CVE-2023-35641
📋 TL;DR
CVE-2023-35641 is a remote code execution vulnerability in Windows Internet Connection Sharing (ICS) service. An attacker could exploit this to execute arbitrary code with SYSTEM privileges on affected systems. This affects Windows systems with ICS enabled.
💻 Affected Systems
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, enabling complete control over the system, data theft, lateral movement, and persistence.
Likely Case
Initial foothold leading to privilege escalation, credential harvesting, and deployment of ransomware or other malware.
If Mitigated
Limited impact due to network segmentation, ICS disabled, or exploit blocked by security controls.
🎯 Exploit Status
Microsoft has not disclosed specific exploitation details. The vulnerability requires ICS to be enabled and accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: December 2023 security updates (KB5033375 for Windows 11, KB5033372 for Windows 10, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35641
Restart Required: Yes
Instructions:
1. Apply December 2023 Windows security updates via Windows Update. 2. Alternatively, download and install the appropriate KB update from Microsoft Update Catalog. 3. Restart the system after installation.
🔧 Temporary Workarounds
Disable Internet Connection Sharing
windowsDisables the vulnerable ICS service to prevent exploitation.
sc config SharedAccess start= disabled
sc stop SharedAccess
Block ICS ports with firewall
windowsBlocks network access to ICS service ports.
netsh advfirewall firewall add rule name="Block ICS" dir=in action=block protocol=TCP localport=67,68,1900,2869,5357,5358
🧯 If You Can't Patch
- Disable Internet Connection Sharing service if not required
- Implement network segmentation to isolate systems with ICS enabled
🔍 How to Verify
Check if Vulnerable:
Check if ICS service is running: sc query SharedAccess | findstr RUNNINGCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify December 2023 security updates are installed: wmic qfe list | findstr KB503337📡 Detection & Monitoring
Log Indicators:
- Unexpected ICS service restarts
- Process creation from ICS service (svchost.exe with SharedAccess parameters)
- Network connections to ICS ports from unexpected sources
Network Indicators:
- Unusual traffic to UDP ports 67/68 (DHCP) or TCP ports 1900/2869/5357/5358 from ICS systems
- Anomalous outbound connections from ICS-enabled systems
SIEM Query:
source="windows" AND (event_id=4688 AND process_name="svchost.exe" AND command_line="*SharedAccess*") OR (event_id=7045 AND service_name="SharedAccess")