Cyber Resilience

CVE-2023-28252

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 11 April 2023

Published
11 April 2023
Modified
28 October 2025
KEV Added
11 April 2023
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6215 98.4th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28252 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).

Deeper analysis

The vulnerability CVE-2023-28252 is an elevation of privilege flaw in the Windows Common Log File System Driver (clfs.sys) stemming from a heap-based buffer overflow and out-of-bounds write, as indicated by the associated CWEs. It affects supported versions of Windows and carries a CVSS 3.1 score of 7.8, reflecting local attack vector, low complexity, and low privileges required for successful exploitation with high impact on confidentiality, integrity, and availability.

A local attacker with low-privileged access on an affected system can exploit the driver flaw to escalate privileges, potentially gaining full control over the target machine. Public exploit code has been posted to sites such as Packet Storm, confirming the technical feasibility of the attack.

Microsoft's advisory directs administrators to apply the security updates released on April 11, 2023, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog and requires federal agencies to remediate in accordance with Binding Operational Directive 22-01.

The vulnerability shows confirmed real-world exploitation, with an EPSS score that has reached a peak of 0.7018 and currently sits at 0.5998.

EU & UK References

Vulnerability details

Windows Common Log File System Driver Elevation of Privilege Vulnerability

CWE(s)
KEV Date Added
11 April 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.19869
microsoft
windows 10 1607
≤ 10.0.14393.5850
microsoft
windows 10 1809
≤ 10.0.17763.4252
microsoft
windows 10 20h2
≤ 10.0.19042.2846
microsoft
windows 10 21h2
≤ 10.0.19044.2846
microsoft
windows 10 22h2
≤ 10.0.19045.2846
microsoft
windows 11 21h2
≤ 10.0.22000.1817
microsoft
windows 11 22h2
≤ 10.0.22621.1555
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
+3 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor security update that eliminates the clfs.sys heap overflow and EoP path.

prevent

Enforces least-privilege restrictions so a local low-privileged account cannot reach the kernel driver code path needed for escalation.

prevent

Access-enforcement mechanisms limit the ability of an unprivileged process to invoke the vulnerable CLFS driver functions that lead to SYSTEM-level access.

References