Cyber Resilience

CVE-2023-28299

Medium

Published: 11 April 2023

Published
11 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0015 35.1th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28299 is a medium-severity an unspecified weakness vulnerability in Microsoft Visual Studio 2022. Its CVSS base score is 5.5 (Medium).

Operationally, ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-28299 is a spoofing vulnerability affecting Visual Studio. It carries a CVSS 3.1 base score of 5.5 with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, indicating that successful exploitation can produce high integrity impact while requiring only local access and low privileges.

An attacker with local access and low privileges can exploit the flaw without user interaction to spoof content or behavior within the Visual Studio environment, thereby achieving unauthorized integrity changes on the affected system.

Microsoft has published remediation guidance in its Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28299.

The associated EPSS score remained low after the April 2023 disclosure but rose sharply to a peak of 0.3164 on 2025-01-22 before receding, indicating a period of increased exploitation interest well after initial publication.

EU & UK References

Vulnerability details

Visual Studio Spoofing Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
visual studio 2017
15.0 — 15.9.54
microsoft
visual studio 2019
16.0 — 16.11.26
microsoft
visual studio 2022
17.0 — 17.0.21 · 17.2.0 — 17.2.15 · 17.4.0 — 17.4.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References