CVE-2023-28240: Windows Network Load Balancing Remote Code Execution Vulnerability

Overview

Severity: High (CVSS 8.8)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Category: Remote Code Execution
Exploit Status: Not Exploited
Exploitation Likelihood: Less Likely
Patch Tuesday: 2023-Apr
Released: 2023-04-11
EPSS Score: 0.19% (percentile: 41.2%)

FAQ

How could an attacker exploit this vulnerability? To exploit this vulnerability, an attacker on the same subnet as the target system would need to send a specially crafted packet to a server configured as a Network Load Balancing cluster host. According to the CVSS score, the attack vector is adjacent (AV:A). What does this mean for this vulnerability? This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.

Affected Products (16)

Windows

Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows Server 2022 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)

ESU

Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)

Security Updates (11)

Acknowledgments

<a href="https://www.twitter.com/guhe120">Yuki Chen</a> with <a href="https://www.cyberkl.com/">Cyber KunLun</a>, <a href="https://twitter.com/b2ahex">b2ahex</a>

Revision History

2023-04-11: Information published.