CVE-2023-21701
Published: 14 February 2023
Summary
CVE-2023-21701 is a high-severity Buffer Over-read (CWE-126) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Microsoft Protected Extensible Authentication Protocol (PEAP) contains a denial-of-service vulnerability tracked as CVE-2023-21701. The flaw is present in the PEAP implementation used for network authentication and carries a CVSS 3.1 score of 7.5, reflecting a network-accessible vector with low attack complexity and no required credentials or user interaction. The associated weakness identifiers include CWE-126.
An unauthenticated remote attacker can send specially crafted network traffic to a vulnerable PEAP endpoint, resulting in a high-impact denial of service that disrupts availability while leaving confidentiality and integrity unaffected.
Microsoft has published an advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21701 that addresses the issue. The current EPSS score of 0.0626 with a recorded peak of 0.0695 indicates only modest exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-25868
Vulnerability details
Microsoft Protected Extensible Authentication Protocol (PEAP) Denial of Service Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.