CVE-2023-35628
Published: 12 December 2023
Summary
CVE-2023-35628 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-35628 is a remote code execution vulnerability in the Windows MSHTML platform, assigned CWE-416 for use-after-free. It carries a CVSS 3.1 score of 8.1 reflecting network attack vector, high complexity, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. The flaw resides in core HTML rendering components used across multiple Windows versions.
An unauthenticated attacker can exploit the issue over the network to achieve arbitrary code execution with full system privileges. The attack requires no user interaction, though the high complexity rating indicates specific conditions must be met for successful exploitation.
Microsoft has published guidance for the vulnerability through its Security Response Center at the referenced advisory URL, which includes patch availability and mitigation recommendations for affected Windows installations. The associated EPSS values of 0.1554 current and 0.1710 peak indicate moderate and relatively stable exploitation probability since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-39628
Vulnerability details
Windows MSHTML Platform Remote Code Execution Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.