Cyber Resilience

CVE-2023-36567

High

Published: 10 October 2023

Published
10 October 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0529 90.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-36567 is a high-severity Use of Uninitialized Resource (CWE-908) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-36567 is an information disclosure vulnerability affecting Windows Deployment Services, carrying a CVSS 3.1 base score of 7.5 under the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N and associated with CWE-908. The flaw stems from use of uninitialized resources and permits exposure of sensitive data without requiring authentication or user interaction.

Remote attackers can exploit the issue over the network to obtain confidential information from the affected deployment services component. No privileges are needed, enabling unauthenticated network-based access that impacts confidentiality while leaving integrity and availability untouched.

Microsoft security advisories published at the referenced MSRC URLs address remediation steps and available updates for the vulnerability.

The associated EPSS score has remained flat at a peak and current value of 0.0529, showing no material upward trajectory after disclosure.

EU & UK References

Vulnerability details

Windows Deployment Services Information Disclosure Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.20232
microsoft
windows 10 1809
≤ 10.0.17763.4974
microsoft
windows 10 21h1
≤ 10.0.19041.3570
microsoft
windows 10 22h2
≤ 10.0.19041.3570
microsoft
windows 11 21h2
≤ 10.0.22000.2538
microsoft
windows 11 22h2
≤ 10.0.22621.2428
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
all versions
microsoft
windows server 2019
all versions
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References