CVE-2023-36567
Published: 10 October 2023
Summary
CVE-2023-36567 is a high-severity Use of Uninitialized Resource (CWE-908) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-36567 is an information disclosure vulnerability affecting Windows Deployment Services, carrying a CVSS 3.1 base score of 7.5 under the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N and associated with CWE-908. The flaw stems from use of uninitialized resources and permits exposure of sensitive data without requiring authentication or user interaction.
Remote attackers can exploit the issue over the network to obtain confidential information from the affected deployment services component. No privileges are needed, enabling unauthenticated network-based access that impacts confidentiality while leaving integrity and availability untouched.
Microsoft security advisories published at the referenced MSRC URLs address remediation steps and available updates for the vulnerability.
The associated EPSS score has remained flat at a peak and current value of 0.0529, showing no material upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-40512
Vulnerability details
Windows Deployment Services Information Disclosure Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.