CVE-2023-36721
📋 TL;DR
This vulnerability in Windows Error Reporting Service allows authenticated local attackers to execute arbitrary code with SYSTEM privileges. It affects Windows systems where an attacker has initial access to a standard user account and can exploit improper privilege management.
💻 Affected Systems
- Windows Error Reporting Service
📦 What is this software?
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Privilege escalation from standard user to SYSTEM on compromised workstations, leading to data exfiltration and further exploitation.
If Mitigated
Limited impact due to patch deployment, with only authenticated attacks possible and proper endpoint protection detecting exploitation attempts.
🎯 Exploit Status
Requires authenticated access and specific conditions to trigger the vulnerability. No public exploit code available as of knowledge cutoff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: September 2023 security updates (KB5030211 for Windows 10, KB5030219 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36721
Restart Required: Yes
Instructions:
1. Apply September 2023 Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable Windows Error Reporting Service
windowsTemporarily disable the vulnerable service to prevent exploitation
sc config WerSvc start= disabled
sc stop WerSvc
🧯 If You Can't Patch
- Implement strict access controls and least privilege principles to limit authenticated user access
- Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if September 2023 security updates are installed via 'systeminfo' command or Windows Update historyCheck Version:
wmic qfe list | findstr KB5030211Verify Fix Applied:
Verify KB5030211 (Windows 10) or KB5030219 (Windows 11) is installed in Installed Updates📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with WerSvc parent process spawning unexpected child processes
- Unusual WerSvc service activity in Security logs
Network Indicators:
- No specific network indicators as this is local privilege escalation
SIEM Query:
EventID=4688 AND ParentProcessName="*WerSvc*" AND NewProcessName NOT IN ("*expected_processes*")