CVE-2023-36865 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2023-36865?

CVE-2023-36865 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote code execution when a user opens a specially crafted Visio file. Attackers can exploit this to run arbitrary code with the privileges of the current user. All users running affected versions of Microsoft Visio are potentially vulnerable.

📋 TL;DR

This vulnerability allows remote code execution when a user opens a specially crafted Visio file. Attackers can exploit this to run arbitrary code with the privileges of the current user. All users running affected versions of Microsoft Visio are potentially vulnerable.

💻 Affected Systems

Products:

Microsoft Office Visio

Versions: Microsoft Visio 2016, 2019, 2021, and Microsoft 365 Apps for Enterprise

Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user interaction to open malicious file. All default installations are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the logged-in user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Malicious actor tricks user into opening a crafted Visio file, leading to malware installation, credential theft, or backdoor establishment on the victim's system.

🟢

If Mitigated

Limited impact with proper email filtering, user awareness training, and application sandboxing preventing successful exploitation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (opening malicious file). No public exploit code available at time of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2023 security updates

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36865

Restart Required: Yes

Instructions:

1. Open Microsoft Visio. 2. Go to File > Account > Update Options > Update Now. 3. Alternatively, use Windows Update to install the latest security updates. 4. Restart the system after installation.

🔧 Temporary Workarounds

Block Visio file attachments

all

Configure email gateways to block .vsd, .vsdx, and .vssx file attachments

Disable Visio in Office suite

windows

Remove or disable Visio application from affected systems if not required

🧯 If You Can't Patch

Implement application whitelisting to prevent unauthorized executables from running
Use Microsoft Office Protected View to open files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check Visio version via File > Account > About Visio. If version is older than July 2023 updates, system is vulnerable.

Check Version:

wmic product where name like "Microsoft Visio%" get version

Verify Fix Applied:

Verify Visio version is updated to July 2023 or later security update. Check Windows Update history for KB5028950 or later.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing Visio process spawning unexpected child processes
Antivirus alerts for malicious Visio files

Network Indicators:

Outbound connections from Visio process to unknown IPs
DNS queries for suspicious domains from Office processes

SIEM Query:

process_name:"VISIO.EXE" AND (process_child_name:*.exe OR network_connection:*)

📊 Metadata

CVE ID: CVE-2023-36865

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: August 8, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36865 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36865 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36865, you might also want to check these: