CVE-2023-28252
Published: 11 April 2023
Summary
CVE-2023-28252 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).
Deeper analysis
The vulnerability CVE-2023-28252 is an elevation of privilege flaw in the Windows Common Log File System Driver (clfs.sys) stemming from a heap-based buffer overflow and out-of-bounds write, as indicated by the associated CWEs. It affects supported versions of Windows and carries a CVSS 3.1 score of 7.8, reflecting local attack vector, low complexity, and low privileges required for successful exploitation with high impact on confidentiality, integrity, and availability.
A local attacker with low-privileged access on an affected system can exploit the driver flaw to escalate privileges, potentially gaining full control over the target machine. Public exploit code has been posted to sites such as Packet Storm, confirming the technical feasibility of the attack.
Microsoft's advisory directs administrators to apply the security updates released on April 11, 2023, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog and requires federal agencies to remediate in accordance with Binding Operational Directive 22-01.
The vulnerability shows confirmed real-world exploitation, with an EPSS score that has reached a peak of 0.7018 and currently sits at 0.5998.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-31960
Vulnerability details
Windows Common Log File System Driver Elevation of Privilege Vulnerability
- CWE(s)
- KEV Date Added
- 11 April 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor security update that eliminates the clfs.sys heap overflow and EoP path.
Enforces least-privilege restrictions so a local low-privileged account cannot reach the kernel driver code path needed for escalation.
Access-enforcement mechanisms limit the ability of an unprivileged process to invoke the vulnerable CLFS driver functions that lead to SYSTEM-level access.