CVE-2023-41763
Published: 10 October 2023
Summary
CVE-2023-41763 is a medium-severity SSRF (CWE-918) vulnerability in Microsoft Skype For Business Server. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 4.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2023-41763 is an elevation-of-privilege vulnerability in Skype for Business that stems from a server-side request forgery flaw (CWE-918). The affected component allows an unauthenticated network attacker to cause the server to issue requests to arbitrary destinations, resulting in limited information disclosure as reflected in its CVSS 5.3 score (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
An attacker with no credentials or user interaction can send crafted requests over the network to a Skype for Business server and obtain partial confidential data that would otherwise be inaccessible. Because the vulnerability requires no authentication and has a low attack complexity, it can be exploited from anywhere on the network reachable by the service.
Microsoft’s security update guide and the CISA Known Exploited Vulnerabilities catalog both reference the issue, indicating that administrators should apply the patches supplied through the standard Microsoft Update channels to eliminate the SSRF vector.
The EPSS score for this CVE rose sharply from a low baseline after disclosure, reaching a peak of 0.7335 on 2024-11-11 before receding to its current value of 0.1650; its inclusion in the CISA KEV catalog further confirms observed in-the-wild exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-46255
Vulnerability details
Skype for Business Elevation of Privilege Vulnerability
- CWE(s)
- KEV Date Added
- 10 October 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the SSRF vector by requiring validation of all user-supplied URLs and request parameters before the Skype for Business server issues outbound requests.
Enforces information-flow rules that restrict the server component from initiating arbitrary outbound requests to internal or external resources.
Boundary-protection mechanisms can be configured to deny or proxy the unauthorized outbound connections that the SSRF flaw enables.