CVE-2023-35841 – This vulnerability in the Phoenix WinFlash Driv... (How to Fix)

Q: What is the severity of CVE-2023-35841?

CVE-2023-35841 has a CVSS score of 7.8 (HIGH). This vulnerability in the Phoenix WinFlash Driver allows attackers with local access to escalate privileges by exploiting an exposed IOCTL interface with insufficient access controls. It enables modification of system firmware, affecting Windows systems running vulnerable driver versions. This primarily impacts organizations using Phoenix firmware management tools.

📋 TL;DR

This vulnerability in the Phoenix WinFlash Driver allows attackers with local access to escalate privileges by exploiting an exposed IOCTL interface with insufficient access controls. It enables modification of system firmware, affecting Windows systems running vulnerable driver versions. This primarily impacts organizations using Phoenix firmware management tools.

💻 Affected Systems

Products:

Phoenix WinFlash Driver

Versions: All versions before 4.5.0.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with Phoenix firmware management tools installed; driver typically runs with SYSTEM privileges.

📦 What is this software?

Winflash by Phoenixtech

View all CVEs affecting Winflash →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through firmware modification, allowing persistent malware installation, data theft, and system bricking.

🟠

Likely Case

Local privilege escalation to SYSTEM level, enabling installation of malware, credential theft, and lateral movement within networks.

🟢

If Mitigated

Limited to authenticated users with local access; proper privilege separation and driver restrictions prevent exploitation.

🌐 Internet-Facing: LOW - Requires local system access; not directly exploitable over internet.

🏢 Internal Only: HIGH - Local attackers or malware can exploit this for privilege escalation and persistence.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access but is straightforward once access is obtained; similar driver vulnerabilities have been weaponized in malware.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.0.0

Vendor Advisory: https://phoenixtech.com/phoenix-security-notifications/cve-2023-35841/

Restart Required: Yes

Instructions:

1. Download WinFlash Driver version 4.5.0.0 or later from Phoenix website. 2. Uninstall current vulnerable driver. 3. Install updated driver. 4. Reboot system.

🔧 Temporary Workarounds

Driver Removal

windows

Remove the vulnerable WinFlash Driver if not required for system functionality

pnputil /delete-driver oem#.inf /uninstall
sc delete WinFlash

Driver Blocking

windows

Use Windows Driver Block Rules to prevent vulnerable driver loading

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Driver Security" /v "DriverBlockRules" /t REG_SZ /d "PhoenixWinFlash.inf" /f

🧯 If You Can't Patch

Restrict local access to systems; implement least privilege principles
Monitor for suspicious driver loading events and IOCTL calls

🔍 How to Verify

Check if Vulnerable:

Check driver version in Device Manager under System devices or run: driverquery | findstr WinFlash

Check Version:

driverquery /fo csv | findstr WinFlash

Verify Fix Applied:

Verify driver version is 4.5.0.0 or higher using driverquery or Device Manager

📡 Detection & Monitoring

Log Indicators:

Event ID 7045: Service installation for WinFlash
Suspicious driver loading events
Unexpected IOCTL calls to WinFlash driver

Network Indicators:

Not network exploitable; focus on host-based indicators

SIEM Query:

EventID=7045 AND ServiceName="WinFlash" OR ProcessName="WinFlash"

📊 Metadata

CVE ID: CVE-2023-35841

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-732

Published: May 14, 2024

Last Updated: September 25, 2025

🔗 References

https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html Exploit,Third Party Advisory
https://jvn.jp/en/vu/JVNVU93886750/index.html Third Party Advisory
https://phoenixtech.com/phoenix-security-notifications/cve-2023-35841/ Vendor Advisory
https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html Exploit,Third Party Advisory
https://jvn.jp/en/vu/JVNVU93886750/index.html Third Party Advisory
https://www.phoenix.com/security-notifications/cve-2023-35841/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35841, you might also want to check these: