Cyber Resilience

CVE-2023-35628

High

Published: 12 December 2023

Published
12 December 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1554 94.8th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-35628 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-35628 is a remote code execution vulnerability in the Windows MSHTML platform, assigned CWE-416 for use-after-free. It carries a CVSS 3.1 score of 8.1 reflecting network attack vector, high complexity, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. The flaw resides in core HTML rendering components used across multiple Windows versions.

An unauthenticated attacker can exploit the issue over the network to achieve arbitrary code execution with full system privileges. The attack requires no user interaction, though the high complexity rating indicates specific conditions must be met for successful exploitation.

Microsoft has published guidance for the vulnerability through its Security Response Center at the referenced advisory URL, which includes patch availability and mitigation recommendations for affected Windows installations. The associated EPSS values of 0.1554 current and 0.1710 peak indicate moderate and relatively stable exploitation probability since disclosure.

EU & UK References

Vulnerability details

Windows MSHTML Platform Remote Code Execution Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.20345
microsoft
windows 10 1607
≤ 10.0.14393.6529
microsoft
windows 10 1809
≤ 10.0.17763.5206
microsoft
windows 10 21h2
≤ 10.0.19041.3803
microsoft
windows 10 22h2
≤ 10.0.19045.3803
microsoft
windows 11 21h2
≤ 10.0.22000.2652
microsoft
windows 11 22h2
≤ 10.0.22621.2861
microsoft
windows 11 23h2
≤ 10.0.22631.2861
microsoft
windows server 2008
r2
microsoft
windows server 2012
all versions, r2
+4 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-416

Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.

References