Cyber Resilience

CVE-2023-41763

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 10 October 2023

Published
10 October 2023
Modified
28 October 2025
KEV Added
10 October 2023
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.1650 95.1th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-41763 is a medium-severity SSRF (CWE-918) vulnerability in Microsoft Skype For Business Server. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 4.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2023-41763 is an elevation-of-privilege vulnerability in Skype for Business that stems from a server-side request forgery flaw (CWE-918). The affected component allows an unauthenticated network attacker to cause the server to issue requests to arbitrary destinations, resulting in limited information disclosure as reflected in its CVSS 5.3 score (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

An attacker with no credentials or user interaction can send crafted requests over the network to a Skype for Business server and obtain partial confidential data that would otherwise be inaccessible. Because the vulnerability requires no authentication and has a low attack complexity, it can be exploited from anywhere on the network reachable by the service.

Microsoft’s security update guide and the CISA Known Exploited Vulnerabilities catalog both reference the issue, indicating that administrators should apply the patches supplied through the standard Microsoft Update channels to eliminate the SSRF vector.

The EPSS score for this CVE rose sharply from a low baseline after disclosure, reaching a peak of 0.7335 on 2024-11-11 before receding to its current value of 0.1650; its inclusion in the CISA KEV catalog further confirms observed in-the-wild exploitation activity.

EU & UK References

Vulnerability details

Skype for Business Elevation of Privilege Vulnerability

CWE(s)
KEV Date Added
10 October 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
skype for business server
2015, 2019

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the SSRF vector by requiring validation of all user-supplied URLs and request parameters before the Skype for Business server issues outbound requests.

prevent

Enforces information-flow rules that restrict the server component from initiating arbitrary outbound requests to internal or external resources.

prevent

Boundary-protection mechanisms can be configured to deny or proxy the unauthorized outbound connections that the SSRF flaw enables.

References