CVE-2023-24931
Published: 11 April 2023
Summary
CVE-2023-24931 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Windows Secure Channel, the component responsible for implementing TLS and other cryptographic protocols in Windows, is affected by CVE-2023-24931, a denial-of-service vulnerability. The flaw is associated with CWE-125 and carries a CVSS 3.1 base score of 7.5, reflecting a network-accessible attack that requires no authentication or user interaction and impacts availability while leaving confidentiality and integrity intact.
An unauthenticated remote attacker can send specially crafted network traffic to a vulnerable Windows system and trigger the flaw, resulting in a denial of service that disrupts secure-channel communications without any other privileges or local access.
Microsoft’s Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24931 provides official guidance on available updates and mitigation steps for affected Windows versions.
The EPSS score has remained flat at 0.1205 since disclosure, indicating no material increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-28919
Vulnerability details
Windows Secure Channel Denial of Service Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.