Cyber Resilience

CVE-2023-29360

HighCISA KEVActive ExploitationEUVD Exploited

Published: 14 June 2023

Published
14 June 2023
Modified
28 October 2025
KEV Added
29 February 2024
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3029 96.8th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29360 is a high-severity Untrusted Pointer Dereference (CWE-822) vulnerability in Microsoft Windows 10 1607. Its CVSS base score is 8.4 (High).

Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

Microsoft Streaming Service contains an elevation of privilege vulnerability tracked as CVE-2023-29360. The flaw carries a CVSS 3.1 score of 8.4 and is associated with CWE-822. It affects the streaming service component in supported Microsoft products and allows an attacker to obtain elevated privileges on an affected system.

An unauthenticated local attacker can exploit the issue without user interaction. Successful exploitation grants full control over confidentiality, integrity, and availability on the target host, enabling the attacker to execute arbitrary code with elevated rights.

Microsoft has published remediation guidance through its Security Response Center, and the vulnerability appears in CISA’s catalog of known exploited vulnerabilities. The associated EPSS score has remained near 0.30 with only minor fluctuation between its recorded peak and current values.

EU & UK References

Vulnerability details

Microsoft Streaming Service Elevation of Privilege Vulnerability

CWE(s)
KEV Date Added
29 February 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1607
≤ 10.0.14393.5989 · ≤ 10.0.14393.5989
microsoft
windows 10 1809
≤ 10.0.17763.4499
microsoft
windows 10 21h2
≤ 10.0.19044.3086
microsoft
windows 10 22h2
≤ 10.0.19045.3086
microsoft
windows 11 21h2
≤ 10.0.22000.2057
microsoft
windows 11 22h2
≤ 10.0.22621.1848
microsoft
windows server 2016
≤ 10.0.14393.5989
microsoft
windows server 2019
≤ 10.0.17763.4499
microsoft
windows server 2022
≤ 10.0.20348.1784

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the EoP by restricting the streaming service and its processes to the minimum privileges needed, blocking the local attacker from obtaining full system control.

prevent

Enforces access control policies on the streaming service so that an unprivileged local process cannot elevate to full system rights.

prevent

Requires timely application of the vendor patch that eliminates the CWE-822 flaw being actively exploited in the wild.

References