Cyber Resilience

CVE-2023-36563

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 10 October 2023

Published
10 October 2023
Modified
28 October 2025
KEV Added
10 October 2023
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0283 86.5th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-36563 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Microsoft Windows 10 1809. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 13.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-36563 is an information disclosure vulnerability affecting Microsoft WordPad. It carries a CVSS 3.1 base score of 6.5 reflecting a network attack vector, low attack complexity, no required privileges, and required user interaction, resulting in high impact to confidentiality while leaving integrity and availability unaffected. The issue is also associated with CWE-20.

An unauthenticated remote attacker can exploit the flaw by supplying a specially crafted file or document that a user opens in WordPad, enabling disclosure of sensitive information from the target system.

Microsoft has issued remediation guidance through its Security Response Center update guide. The vulnerability is listed in CISA’s catalog of known exploited vulnerabilities, confirming observed real-world exploitation activity.

The associated EPSS score has remained flat at 0.0283 from disclosure through the present measurement.

EU & UK References

Vulnerability details

Microsoft WordPad Information Disclosure Vulnerability

CWE(s)
KEV Date Added
10 October 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.20232
microsoft
windows 10 1607
≤ 10.0.14393.6351 · ≤ 10.0.14393.6351
microsoft
windows 10 1809
≤ 10.0.17763.4974 · ≤ 10.0.17763.4974 · ≤ 10.0.17763.4974
microsoft
windows 10 21h2
≤ 10.0.19041.3570
microsoft
windows 10 22h2
≤ 10.0.19045.3570
microsoft
windows 11 21h2
≤ 10.0.22000.2538
microsoft
windows 11 22h2
≤ 10.0.22621.2428
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.6351
+2 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch that eliminates the WordPad parsing flaw before an attacker-supplied file can be opened.

detect

Explicitly monitors for unauthorized information disclosure attempts that match the observed behavior of CVE-2023-36563.

preventdetect

Malicious-code and file-scanning mechanisms can block or alert on the specially crafted WordPad documents used to trigger the vulnerability.

References