CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability

Overview

Severity
Critical (CVSS 9.8)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Category
Elevation of Privilege
Exploit Status
Actively Exploited
Exploitation Likelihood
Detected
Patch Tuesday
2023-Mar
Released
2023-03-14
Last Updated
2023-03-21
EPSS Score
93.35% (percentile: 99.8%)
CISA KEV
Listed — due 2023-04-04

FAQ

According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H) and availability (A:H). What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user. Is the Preview Pane an attack vector for this vulnerability? The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane. How could an attacker exploit this vulnerability? External attackers could send specially crafted emails that will cause a connection from the victim to an untrusted location of attackers' control. This will leak the Net-NTLMv2 hash of the victim to the untrusted network which an attacker can then relay to another service and authenticate as the victim. Where can I find more information about NTLM relay attacks? Download Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2. This document discusses Pass-the-Hash (PtH) attacks against the Windows operating systems and provides holistic planning strategies that, when combined with the Windows security features, will provide a more effective defense against pass-the-hash attacks. Where can I find more information? Please see the MSRC Blog Post relating to this vulnerability here: Microsoft Mitigates Outlook Elevation of Privilege Vulnerability.

Known Exploits (22)

  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2026-01-09T04:27:28Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2025-07-25T13:17:15Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2025-04-07T02:33:56Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2024-03-20T09:49:01Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2023-10-26T09:26:32Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2023-09-02T15:35:15Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2023-07-14T22:02:55Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2023-05-07T18:21:35Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2023-03-29T01:17:22Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2023-03-23T13:40:18Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2023-03-22T11:00:47Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2023-03-21T18:38:00Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2023-03-20T16:31:54Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2023-03-19T08:07:58Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2023-03-18T21:14:21Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2023-03-17T17:35:14Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2023-03-17T10:18:26Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2023-03-17T06:52:42Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2023-03-16T19:43:39Z
  • Microsoft Office Outlook Privilege Escalation Vulnerability — added 2023-03-16T19:10:37Z

Detection & Weaponization (3 sources)

Maturity: Detection

  • Sigma rules: Outlook Task/Note Reminder Received, CVE-2023-23397 Exploitation Attempt, Potential CVE-2023-23397 Exploitation Attempt - SMB
  • YARA rules: expl_outlook_cve_2023_23397.yar, R3C0NST_Exploit_Outlook_CVE_2023_23397, DELIVRTO_SUSP_Msg_CVE_2023_23397_Mar23, ELCEEF_Outlook_CVE_2023_23397_Exploit, SIGNATURE_BASE_SUSP_EXPL_Msg_CVE_2023_23397_Mar23, SIGNATURE_BASE_EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23, SIGNATURE_BASE_EXPL_SUSP_Outlook_CVE_2023_23397_SMTP_Mail_Mar23
  • GitHub PoC: 29 repositories

Affected Products (11)

Microsoft Office

  • Microsoft Office LTSC 2021 for 32-bit editions
  • Microsoft Outlook 2016 (32-bit edition)
  • Microsoft Office LTSC 2021 for 64-bit editions
  • Microsoft 365 Apps for Enterprise for 64-bit Systems
  • Microsoft Office 2019 for 64-bit editions
  • Microsoft 365 Apps for Enterprise for 32-bit Systems
  • Microsoft Office 2019 for 32-bit editions
  • Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
  • Microsoft Outlook 2013 RT Service Pack 1
  • Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
  • Microsoft Outlook 2016 (64-bit edition)

Security Updates (4)

Acknowledgments

CERT-UA, Microsoft Incident Response, Microsoft Threat Intelligence

Revision History

  • 2023-03-14: Information published.
  • 2023-03-15: Updated acknowledgment.
  • 2023-03-16: Removed the mitigation guidance which recommended disabling the web client service as it is not applicable.
  • 2023-03-21: Updated FAQ information. This is an informational change only.