CVE-2023-36874

Q: What is the severity of CVE-2023-36874?

CVE-2023-36874 has a CVSS score of 7.8 (HIGH). CVE-2023-36874 is a local privilege escalation vulnerability in the Windows Error Reporting Service that allows authenticated attackers to gain SYSTEM-level privileges. This affects Windows systems where the service is running, primarily impacting enterprise environments with multiple user accounts. Attackers need local access to exploit this vulnerability.

7.8 HIGH

📋 TL;DR

CVE-2023-36874 is a local privilege escalation vulnerability in the Windows Error Reporting Service that allows authenticated attackers to gain SYSTEM-level privileges. This affects Windows systems where the service is running, primarily impacting enterprise environments with multiple user accounts. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with Windows Error Reporting Service enabled (default configuration).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker gains SYSTEM privileges, enabling complete system compromise, installation of malware, credential theft, and lateral movement across the network.

🟠

Likely Case

Malicious insiders or attackers with initial access escalate privileges to bypass security controls, install persistence mechanisms, or access sensitive data.

🟢

If Mitigated

With proper patch management and least privilege principles, impact is limited to isolated systems with minimal lateral movement potential.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring authenticated access, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a system, they can exploit this to gain full control and move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code is publicly available and has been observed in attacks. Requires local authenticated access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2023 security updates (KB5028166 for Windows 10, KB5028185 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36874

Restart Required: Yes

Instructions:

1. Apply July 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Disable Windows Error Reporting Service

windows

Disables the vulnerable service to prevent exploitation

sc config WerSvc start= disabled
sc stop WerSvc

Restrict service permissions

windows

Modify service permissions to prevent unauthorized access

sc sdset WerSvc D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

🧯 If You Can't Patch

Implement strict least privilege principles and limit local administrator accounts
Monitor for suspicious service manipulation and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if Windows Error Reporting Service is running and system lacks July 2023 security updates

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify July 2023 security updates are installed via 'systeminfo' or 'Get-HotFix' commands

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with WerSvc process creation, unexpected SYSTEM privilege escalation events

Network Indicators:

Unusual outbound connections from systems after local privilege escalation

SIEM Query:

EventID=4688 AND NewProcessName="*WerSvc*" AND SubjectUserName!="SYSTEM"

📊 Metadata

CVE ID: CVE-2023-36874

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-59

Published: July 11, 2023

Last Updated: October 28, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36874 Patch,Vendor Advisory
http://packetstormsecurity.com/files/174843/Microsoft-Error-Reporting-Local-Privilege-Elevation.html Exploit,Third Party Advisory,VDB Entry
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36874 Patch,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-36874 US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Windows Error Reporting Service

Restrict service permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities