Cyber Resilience

CVE-2023-36761

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 12 September 2023

Published
12 September 2023
Modified
28 October 2025
KEV Added
12 September 2023
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0553 90.5th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-36761 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Microsoft Word. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 9.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

Microsoft Word contains an information disclosure vulnerability tracked as CVE-2023-36761. The flaw received a CVSS 3.1 score of 6.5 with a network attack vector, low complexity, no required privileges, and required user interaction, resulting in high confidentiality impact while leaving integrity and availability unaffected. It is listed under CWE-20 and was publicly disclosed on 12 September 2023.

An unauthenticated attacker can supply a specially crafted document that, once opened by a victim, leaks sensitive information from the targeted system. The attack requires the victim to interact with the malicious file, after which the attacker obtains data that would otherwise remain protected.

Microsoft has published remediation guidance in its Security Response Center update guide for CVE-2023-36761. The vulnerability also appears in CISA’s Known Exploited Vulnerabilities catalog, confirming that it has been leveraged in real-world attacks and underscoring the need for prompt application of available patches.

EPSS for this CVE rose sharply from a low baseline to a peak of 0.7351 on 15 June 2024 before receding to its current value of 0.0553, indicating a distinct post-disclosure increase in observed exploitation interest.

EU & UK References

Vulnerability details

Microsoft Word Information Disclosure Vulnerability

CWE(s)
KEV Date Added
12 September 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
365 apps
all versions
microsoft
office
2019
microsoft
office long term servicing channel
2021
microsoft
word
2013, 2016

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of Microsoft patches that remediate the input-validation flaw in Word.

preventdetect

Malicious-code protection mechanisms can inspect and block the specially crafted documents used to trigger the disclosure.

detect

Explicitly monitors for unauthorized information disclosure that occurs when the crafted document is opened.

References