Login Sign Up

CVE-2023-36718

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2023-36718 is a remote code execution vulnerability in Microsoft's Virtual Trusted Platform Module (vTPM) that allows authenticated attackers to execute arbitrary code with SYSTEM privileges. This affects Windows systems with vTPM enabled, particularly virtualization environments. Attackers could gain complete control over affected systems.

💻 Affected Systems

Products:
  • Microsoft Windows
  • Microsoft Hyper-V
Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Operating Systems: Windows
Default Config Vulnerable: ✅ No
Notes: Requires vTPM to be enabled. Primarily affects virtualized environments using Hyper-V with vTPM configured.

📦 What is this software?

Windows 10 1507 by Microsoft

View all CVEs affecting Windows 10 1507 →

Windows 10 1607 by Microsoft

View all CVEs affecting Windows 10 1607 →

Windows 10 1809 by Microsoft

View all CVEs affecting Windows 10 1809 →

Windows 10 21h2 by Microsoft

View all CVEs affecting Windows 10 21h2 →

Windows 10 22h2 by Microsoft

View all CVEs affecting Windows 10 22h2 →

Windows 11 21h2 by Microsoft

View all CVEs affecting Windows 11 21h2 →

Windows 11 22h2 by Microsoft

View all CVEs affecting Windows 11 22h2 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling lateral movement, data exfiltration, and persistent backdoor installation across virtualized environments.

🟠

Likely Case

Privilege escalation from authenticated user to SYSTEM, leading to credential theft, malware deployment, and control over virtual machines.

🟢

If Mitigated

Limited impact due to authentication requirements and network segmentation, with potential for isolated VM compromise but not host escape.

🌐 Internet-Facing: MEDIUM - Requires authentication but could be exploited through exposed management interfaces or compromised credentials.
🏢 Internal Only: HIGH - Significant risk in virtualized environments where attackers could move laterally between VMs and potentially compromise hypervisors.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authentication and vTPM access. Exploitation likely involves specially crafted requests to vTPM components.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: September 2023 security updates (KB5030211 for Windows 11, KB5030219 for Windows 10, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36718

Restart Required: Yes

Instructions:

1. Apply September 2023 security updates from Windows Update. 2. For enterprise environments, deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Disable vTPM

windows

Temporarily disable Virtual Trusted Platform Module functionality

PowerShell: Disable-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V-TPM-Device"

Network Segmentation

all

Isolate vTPM management interfaces from untrusted networks

🧯 If You Can't Patch

  • Implement strict access controls to vTPM management interfaces
  • Monitor for unusual vTPM-related process activity and network traffic

🔍 How to Verify

Check if Vulnerable:

Check if vTPM is enabled and system has not received September 2023 security updates

Check Version:

PowerShell: Get-HotFix -Id KB5030211, KB5030219, or relevant KB for your OS version

Verify Fix Applied:

Verify September 2023 security updates are installed and system build number is patched

📡 Detection & Monitoring

Log Indicators:

  • Unusual vTPM service activity
  • Failed authentication attempts to vTPM interfaces
  • Process creation with SYSTEM privileges from vTPM context

Network Indicators:

  • Unusual traffic to vTPM ports (typically 5357, 5358)
  • Anomalous RPC/DCOM traffic patterns

SIEM Query:

EventID=4688 AND NewProcessName contains "tpm" OR ParentProcessName contains "tpm"

📊 Metadata

CVE ID: CVE-2023-36718
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-94
Published: October 10, 2023
Last Updated: February 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36718, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)