CVE-2023-36802 – This vulnerability in Microsoft Streaming Servi... (How to Fix)

Q: What is the severity of CVE-2023-36802?

CVE-2023-36802 has a CVSS score of 7.8 (HIGH). This vulnerability in Microsoft Streaming Service Proxy allows attackers to escalate privileges on affected Windows systems. An authenticated attacker could exploit this to gain SYSTEM-level privileges, potentially taking full control of the system. This affects Windows servers and workstations with the vulnerable component enabled.

📋 TL;DR

This vulnerability in Microsoft Streaming Service Proxy allows attackers to escalate privileges on affected Windows systems. An authenticated attacker could exploit this to gain SYSTEM-level privileges, potentially taking full control of the system. This affects Windows servers and workstations with the vulnerable component enabled.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with Microsoft Streaming Service Proxy enabled. This service may be enabled by default on some Windows Server configurations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, lateral movement, and persistence establishment.

🟠

Likely Case

Privilege escalation from a standard user or service account to SYSTEM, allowing attackers to bypass security controls and execute arbitrary code.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege principles, and endpoint protection are in place, though local privilege escalation remains possible.

🌐 Internet-Facing: LOW - This requires local access or authenticated remote access to exploit, not directly exploitable from the internet.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a network, this vulnerability enables privilege escalation across affected Windows systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CISA has added this to its Known Exploited Vulnerabilities catalog, indicating active exploitation. Requires authenticated access to the target system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2023 security updates (KB5028166 for Windows 10, KB5028185 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36802

Restart Required: Yes

Instructions:

1. Apply July 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS, SCCM, or Intune. 3. Restart systems after update installation.

🔧 Temporary Workarounds

Disable Microsoft Streaming Service Proxy

windows

Disables the vulnerable service to prevent exploitation

sc config wcncsvc start= disabled
sc stop wcncsvc

🧯 If You Can't Patch

Implement strict network segmentation to limit lateral movement
Apply least privilege principles and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if system is running a vulnerable Windows version without July 2023 security updates and has wcncsvc service running

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify July 2023 security updates are installed and wcncsvc service version is updated

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with wcncsvc.exe spawning processes
Unexpected SYSTEM privilege escalation events
Security log entries showing service manipulation

Network Indicators:

Unusual outbound connections from wcncsvc.exe
Lateral movement attempts following local privilege escalation

SIEM Query:

EventID=4688 AND NewProcessName="*wcncsvc.exe*" | stats count by Computer, ParentProcessName, NewProcessName

📊 Metadata

CVE ID: CVE-2023-36802

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: September 12, 2023

Last Updated: October 28, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36802 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36802 Patch,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-36802 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36802, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Microsoft Streaming Service Proxy

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities