CVE-2023-36761
Published: 12 September 2023
Summary
CVE-2023-36761 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Microsoft Word. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 9.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Deeper analysis
Microsoft Word contains an information disclosure vulnerability tracked as CVE-2023-36761. The flaw received a CVSS 3.1 score of 6.5 with a network attack vector, low complexity, no required privileges, and required user interaction, resulting in high confidentiality impact while leaving integrity and availability unaffected. It is listed under CWE-20 and was publicly disclosed on 12 September 2023.
An unauthenticated attacker can supply a specially crafted document that, once opened by a victim, leaks sensitive information from the targeted system. The attack requires the victim to interact with the malicious file, after which the attacker obtains data that would otherwise remain protected.
Microsoft has published remediation guidance in its Security Response Center update guide for CVE-2023-36761. The vulnerability also appears in CISA’s Known Exploited Vulnerabilities catalog, confirming that it has been leveraged in real-world attacks and underscoring the need for prompt application of available patches.
EPSS for this CVE rose sharply from a low baseline to a peak of 0.7351 on 15 June 2024 before receding to its current value of 0.0553, indicating a distinct post-disclosure increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-40704
Vulnerability details
Microsoft Word Information Disclosure Vulnerability
- CWE(s)
- KEV Date Added
- 12 September 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of Microsoft patches that remediate the input-validation flaw in Word.
Malicious-code protection mechanisms can inspect and block the specially crafted documents used to trigger the disclosure.
Explicitly monitors for unauthorized information disclosure that occurs when the crafted document is opened.