CVE-2023-36047
📋 TL;DR
This Windows authentication vulnerability allows attackers to elevate privileges on affected systems. An authenticated attacker could exploit this to gain SYSTEM-level access. It affects Windows systems with specific configurations.
💻 Affected Systems
- Windows
📦 What is this software?
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement across the network.
Likely Case
Privilege escalation from standard user to administrator/SYSTEM level, allowing installation of malware, credential harvesting, and bypassing security controls.
If Mitigated
Limited impact due to proper patch management, least privilege principles, and network segmentation preventing lateral movement.
🎯 Exploit Status
Requires authenticated access and specific conditions to trigger the vulnerability. No public exploit code available as of knowledge cutoff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: November 2023 security updates (KB5032190 for Windows 10, KB5032197 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36047
Restart Required: Yes
Instructions:
1. Apply November 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy through WSUS or SCCM. 3. Restart systems after patch installation.
🔧 Temporary Workarounds
Restrict authentication protocols
windowsLimit authentication methods to reduce attack surface
Configure Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: LAN Manager authentication level = Send NTLMv2 response only\refuse LM & NTLM
🧯 If You Can't Patch
- Implement strict least privilege principles - ensure users only have necessary permissions
- Segment networks to limit lateral movement potential after privilege escalation
🔍 How to Verify
Check if Vulnerable:
Check Windows Update history for November 2023 security updates or run: wmic qfe list | findstr "KB5032190 KB5032197 KB5032198"Check Version:
winverVerify Fix Applied:
Verify November 2023 security updates are installed via Windows Update or command: systeminfo | findstr "Hotfix"📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4672 (Special privileges assigned to new logon)
- Event ID 4624 with elevated privileges from unexpected accounts
- Authentication protocol anomalies in Event ID 4776
Network Indicators:
- Unusual authentication traffic patterns
- Multiple privilege escalation attempts from single source
SIEM Query:
source="WinEventLog:Security" (EventID=4672 OR (EventID=4624 AND NewElevatedToken="%%1842")) | stats count by host, user