Zero-day exploit CVSS:3.1 8.3 / 8.1

What happened?

On 11th of July 2023, together with their regular Patch Tuesday notes, Microsoft announced a few new critical vulnerabilities. Among these one was singled out as being of extreme importance – CVE-2023-36884 – as it is actively being used in campaigns targeted against the currently ongoing NATO Summit in Vilnius and participating organisations. You will find detailed information regarding the vulnerability below, but we also advise you to apply the latest Microsoft updates where able.

Additionally, starting from today we are seeing a notable increase in DDoS attempts – both in systems that we monitor, as well as across social media and other public sources. A few websites had temporary outages (autobusustotis.lt, stops.lt, Litexpo), and we are currently seeing DDoS attacks against 15min.lt and alfa.lt news sites.

How does CVE-2023-36884 function?

Specially crafted Microsoft Office documents are used to exploit the vulnerability. Unlike in other types of attacks, in the current exploitability these documents have to be opened by the target/victim. Once opened, the document creates a new instance of a vulnerable Microsoft Software Diagnostic Tool, which then allows Remote Code Execution.

How to mitigate against the threat of CVE-2023-36884?

According to Microsoft, if you are currently using Microsoft Defender for Office – you are already protected from this vulnerability. The current attack chain is blocked if you use the „Block all Office Applications from creating child process Attack Surface Reduction“ rule.

In case you are unable to use the above protections, Microsoft recommends performing the following actions to protect your organisation:

“(…) set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. Add the following application names to this registry key as values of type REG_DWORD with data 1.:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

Excel.exe

Graph.exe

MSAccess.exe

MSPub.exe

PowerPoint.exe

Visio.exe

WinProj.exe

WinWord.exe

Wordpad.exe

Sources and additional reading

MITRE CVE

Microsoft article about exploiting the vulnerability for financial and espionage motives

Details about the group taking responsibility for the ongoing DDoS attacks

Notifications as this one are provided to our managed security service CyberSOC 24/7 customers. More about the service:

01

Managed 24/7 SOC

CTI-AI project: end of year update
CTI-AI project: end of year update
The most common myths related to the implementation of the DORA Regulation
The most common myths related to the implementation of the DORA Regulation
SOCcare December 2025: RondoDox Campaign: Routers Beware
SOCcare December 2025: RondoDox Campaign: Routers Beware
Engaging management and operational teams to do trainings, TTXs, practice sessions, etc.
Engaging management and operational teams to do trainings, TTXs, practice sessions, etc.
Designing an engaging and realistic TTX for an organisation
Designing an engaging and realistic TTX for an organisation
Weekly cyber drills? How to make them a mission possible
Weekly cyber drills? How to make them a mission possible
How to design and lead multi-organisational and multi-national TTXs?
How to design and lead multi-organisational and multi-national TTXs?
NRD Cyber Security liquidates NRD Bangladesh
NRD Cyber Security liquidates NRD Bangladesh