Zero-day exploit CVSS:3.1 8.3 / 8.1

What happened?

On 11th of July 2023, together with their regular Patch Tuesday notes, Microsoft announced a few new critical vulnerabilities. Among these one was singled out as being of extreme importance – CVE-2023-36884 – as it is actively being used in campaigns targeted against the currently ongoing NATO Summit in Vilnius and participating organisations. You will find detailed information regarding the vulnerability below, but we also advise you to apply the latest Microsoft updates where able.

Additionally, starting from today we are seeing a notable increase in DDoS attempts – both in systems that we monitor, as well as across social media and other public sources. A few websites had temporary outages (autobusustotis.lt, stops.lt, Litexpo), and we are currently seeing DDoS attacks against 15min.lt and alfa.lt news sites.

How does CVE-2023-36884 function?

Specially crafted Microsoft Office documents are used to exploit the vulnerability. Unlike in other types of attacks, in the current exploitability these documents have to be opened by the target/victim. Once opened, the document creates a new instance of a vulnerable Microsoft Software Diagnostic Tool, which then allows Remote Code Execution.

How to mitigate against the threat of CVE-2023-36884?

According to Microsoft, if you are currently using Microsoft Defender for Office – you are already protected from this vulnerability. The current attack chain is blocked if you use the „Block all Office Applications from creating child process Attack Surface Reduction“ rule.

In case you are unable to use the above protections, Microsoft recommends performing the following actions to protect your organisation:

“(…) set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. Add the following application names to this registry key as values of type REG_DWORD with data 1.:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

Excel.exe

Graph.exe

MSAccess.exe

MSPub.exe

PowerPoint.exe

Visio.exe

WinProj.exe

WinWord.exe

Wordpad.exe

Sources and additional reading

MITRE CVE

Microsoft article about exploiting the vulnerability for financial and espionage motives

Details about the group taking responsibility for the ongoing DDoS attacks

Notifications as this one are provided to our managed security service CyberSOC 24/7 customers. More about the service:

01

Managed 24/7 SOC

Security automation: from idea to tool
SOCcare May 2025 Malpeek: Analysis of a "copyright infringement" malware
SOCcare May 2025 Malpeek: Analysis of a "copyright infringement" malware
NRD Cyber Security recorded strong growth and international expansion in 2024
NRD Cyber Security recorded strong growth and international expansion in 2024
Building awareness is a continuous effort
Building awareness is a continuous effort
Facilitating dialogue on NIS2 within the Lithuanian cybersecurity ecosystem
Facilitating dialogue on NIS2 within the Lithuanian cybersecurity ecosystem
Developing a culture of CTI sharing in Lithuania
Developing a culture of CTI sharing in Lithuania
Festivities in Lithuania in 8 episodes
Festivities in Lithuania in 8 episodes
SOCshare December 2024: cyber threats for elderly
SOCshare December 2024: cyber threats for elderly