Cyber Resilience

CVE-2023-28229

HighCISA KEVActive ExploitationEUVD Exploited

Published: 11 April 2023

Published
11 April 2023
Modified
28 October 2025
KEV Added
04 October 2023
Patch
CVSS Score v3.1 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0864 92.6th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28229 is a high-severity Sensitive Data Storage in Improperly Locked Memory (CWE-591) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.0 (High).

Operationally, ranked in the top 7.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).

Deeper analysis

Windows CNG Key Isolation Service contains an elevation of privilege vulnerability tracked as CVE-2023-28229. The flaw resides in a core Windows cryptographic component responsible for isolating and managing keys, allowing an authenticated local user to obtain higher privileges on affected systems. The vulnerability carries a CVSS 3.1 score of 7.0 with a local attack vector, high complexity, and low privileges required.

An attacker with a local account can exploit the issue to escalate privileges, potentially gaining the ability to read, modify, or delete protected data and execute code with elevated rights. Exploitation requires no user interaction and targets the Windows kernel-adjacent service, enabling full compromise of confidentiality, integrity, and availability on the host.

Microsoft has published security updates addressing the flaw through its update guide, while CISA has added CVE-2023-28229 to its catalog of known exploited vulnerabilities, confirming active in-the-wild use and underscoring the need for prompt patching. Organizations should apply the relevant Windows security updates and verify service configurations to reduce exposure.

EPSS for this CVE rose materially from a low baseline to a peak of 0.4231 on 2024-08-15 before receding to the current 0.0864, indicating that exploitation interest increased well after initial disclosure and that the issue merits renewed attention.

EU & UK References

Vulnerability details

Windows CNG Key Isolation Service Elevation of Privilege Vulnerability

CWE(s)
KEV Date Added
04 October 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.19869
microsoft
windows 10 1607
≤ 10.0.14393.5850
microsoft
windows 10 1809
≤ 10.0.17763.4252
microsoft
windows 10 20h2
≤ 10.0.19042.2846
microsoft
windows 10 21h2
≤ 10.0.19044.2846
microsoft
windows 10 22h2
≤ 10.0.19045.2846
microsoft
windows 11 21h2
≤ 10.0.22000.1817
microsoft
windows 11 22h2
≤ 10.0.22621.1555
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
+3 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor security updates that Microsoft released to eliminate the CNG Key Isolation Service flaw.

prevent

Enforces least-privilege restrictions on local accounts so an attacker starts with minimal rights, raising the bar for successful EoP.

prevent

Enforces access-control decisions on the key-isolation service, blocking unauthorized callers from obtaining elevated privileges.

References