Cyber Resilience

CVE-2023-28228

Medium

Published: 11 April 2023

Published
11 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score 0.0106 78.0th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28228 is a medium-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 5.5 (Medium).

Operationally, ranked in the top 22.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-28228 is a spoofing vulnerability affecting Windows, assigned a CVSS 3.1 base score of 5.5 with the vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. It is also associated with CWE-347. The flaw was publicly disclosed on 11 April 2023.

An attacker with local access and no privileges can exploit the issue provided they can convince a user to perform a specific action, resulting in high impact to integrity while leaving confidentiality and availability unaffected.

Microsoft Security Response Center advisories hosted at the listed reference URLs describe available patches and mitigation steps for the vulnerability.

The associated EPSS score rose from a low baseline to a peak of 0.0762 on 22 January 2025 before receding to its current value of 0.0106, indicating that exploitation interest emerged well after initial disclosure.

EU & UK References

Vulnerability details

Windows Spoofing Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.19869
microsoft
windows 10 1607
≤ 10.0.14393.5850
microsoft
windows 10 1809
≤ 10.0.17763.4252
microsoft
windows 10 20h2
≤ 10.0.19042.2846
microsoft
windows 10 21h2
≤ 10.0.19044.2846
microsoft
windows 10 22h2
≤ 10.0.19045.2846
microsoft
windows 11 21h2
≤ 10.0.22000.1817
microsoft
windows 11 22h2
≤ 10.0.22621.1555
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
+3 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-347

Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.

addresses: CWE-347

Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.

addresses: CWE-347

PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.

addresses: CWE-347

Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.

addresses: CWE-347

Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.

addresses: CWE-347

Integrity tools commonly rely on cryptographic signatures whose improper validation this weakness covers.

addresses: CWE-347

Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces.

References