CVE-2023-36563
Published: 10 October 2023
Summary
CVE-2023-36563 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Microsoft Windows 10 1809. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 13.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-36563 is an information disclosure vulnerability affecting Microsoft WordPad. It carries a CVSS 3.1 base score of 6.5 reflecting a network attack vector, low attack complexity, no required privileges, and required user interaction, resulting in high impact to confidentiality while leaving integrity and availability unaffected. The issue is also associated with CWE-20.
An unauthenticated remote attacker can exploit the flaw by supplying a specially crafted file or document that a user opens in WordPad, enabling disclosure of sensitive information from the target system.
Microsoft has issued remediation guidance through its Security Response Center update guide. The vulnerability is listed in CISA’s catalog of known exploited vulnerabilities, confirming observed real-world exploitation activity.
The associated EPSS score has remained flat at 0.0283 from disclosure through the present measurement.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-40509
Vulnerability details
Microsoft WordPad Information Disclosure Vulnerability
- CWE(s)
- KEV Date Added
- 10 October 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch that eliminates the WordPad parsing flaw before an attacker-supplied file can be opened.
Explicitly monitors for unauthorized information disclosure attempts that match the observed behavior of CVE-2023-36563.
Malicious-code and file-scanning mechanisms can block or alert on the specially crafted WordPad documents used to trigger the vulnerability.