CVE-2023-24941
published 2023-05-09CVE-2023-24941: Windows Network File System Remote Code Execution Vulnerability
PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
94.68%
99.8th percentile
Windows Network File System Remote Code Execution Vulnerability
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2012 | — | — |
| microsoft | windows_server_2012 | >= 6.2.9200.0 < 6.2.9200.24266 | 6.2.9200.24266 |
| microsoft | windows_server_2012_r2 | >= 6.3.9600.0 < 6.3.9600.20969 | 6.3.9600.20969 |
| microsoft | windows_server_2016 | >= 10.0.14393.0 < 10.0.14393.5921 | 10.0.14393.5921 |
| microsoft | windows_server_2019 | >= 10.0.17763.0 < 10.0.17763.4377 | 10.0.17763.4377 |
| microsoft | windows_server_2022 | >= 10.0.20348.0 < 10.0.20348.1726 | 10.0.20348.1726 |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
| msrc | windows_server_2022 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor NFS4 traffic on ports 2049/TCP and 2049/UDP for NFSv4.1 calls containing utf8string fields with lengths greater than 0x1000, which are suspicious and indicative of an exploitation attempt. ↗
- →Focus detection on fields parsed by Nfs4SvrXdrpDecode_STRING in all NFS4 messages, as the vulnerable code path XdrDecodeString can only be triggered when called from Nfs4SvrXdrpDecode_STRING. ↗
- →The exploit is unauthenticated and delivered over the network via a specially crafted NFS RPC call; no credentials or user interaction are required, so any unauthenticated NFSv4.1 request with anomalously large utf8string fields should be flagged. ↗
- →When parsing ONC RPC messages over TCP, inspect the Fragment header length field and the utf8string length prefix in NFS4 messages; large declared string lengths (>0x1000) with no legitimate operational justification are attack indicators. ↗
- ·The vulnerability only affects NFSv4.1; NFSv2.0 and NFSv3.0 are not exploitable by this CVE. Disabling NFSv4.1 is a temporary mitigation, but must NOT be applied unless CVE-2022-26937 (May 2022 patch) is already installed, as that patch addresses critical flaws in NFSv2.0 and NFSv3.0. ↗
- ·The 0x1000 string-length detection threshold is based on typical file path string limits and may need tuning for environments with non-standard NFS server configurations. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Windows Network File System Remote Code Execution Vulnerability
vendor_msrc·2023-05-09·CVSS 9.8
CVE-2023-24941 [CRITICAL] CWE-908 Windows Network File System Remote Code Execution Vulnerability
Windows Network File System Remote Code Execution Vulnerability
FAQ: How could an attacker exploit this vulnerability?
This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).
Windows Network File System: Windows Network File System
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation More Likely;DOS:N/A
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5026362
Reference: https://support.microsoft.com/help/5026362
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5026370
Reference: https://sup
GHSA
GHSA-w922-j3ph-rjm7: Windows Network File System Remote Code Execution Vulnerability
ghsa_unreviewed·2023-05-09
CVE-2023-24941 [CRITICAL] GHSA-w922-j3ph-rjm7: Windows Network File System Remote Code Execution Vulnerability
Windows Network File System Remote Code Execution Vulnerability
No detection rules found.
No public exploits indexed.
Trendmicro
Microsoft Network File System Remote Code Execution
blogs_trendmicro·2023-06-01·CVSS 9.8
CVE-2023-24941 [CRITICAL] Microsoft Network File System Remote Code Execution
## CVE-2023-24941: Microsoft Network File System Remote Code Execution
Learn about Microsoft Network file system remote code execution.
By: Trend Micro Research Jun 01, 2023 Read time: ( words)
Save to Folio
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Quinton Crist, Guy Lederfein, and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Network File Service (NFS). This bug was originally discovered by Wei in Kunlun Lab with Cyber KunLun . The vulnerability is triggered when handling incoming NFSv4.1 calls containing utf8strings when the server is low on memory. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted call to an affected serve
Trendmicro
Microsoft Network File System Remote Code Execution
blogs_trendmicro·2023-06-01·CVSS 9.8
CVE-2023-24941 [CRITICAL] Microsoft Network File System Remote Code Execution
# CVE-2023-24941: Microsoft Network File System Remote Code Execution
Learn about Microsoft Network file system remote code execution.
By: Trend Micro Research
2023/06/01
Read time: ( words)
Save to Folio
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Quinton Crist, Guy Lederfein, and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Network File Service (NFS). This bug was originally discovered by Wei in Kunlun Lab with Cyber KunLun. The vulnerability is triggered when handling incoming NFSv4.1 calls containing utf8strings when the server is low on memory. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted call to an affected server.
Trendmicro
Microsoft Network File System Remote Code Execution
blogs_trendmicro·2023-06-01·CVSS 9.8
CVE-2023-24941 [CRITICAL] Microsoft Network File System Remote Code Execution
## CVE-2023-24941: Microsoft Network File System Remote Code Execution
Learn about Microsoft Network file system remote code execution.
By: Trend Micro Research 2023/06/01 Read time: ( words)
Save to Folio
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Quinton Crist, Guy Lederfein, and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Network File Service (NFS). This bug was originally discovered by Wei in Kunlun Lab with Cyber KunLun . The vulnerability is triggered when handling incoming NFSv4.1 calls containing utf8strings when the server is low on memory. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted call to an affected server.
Krebs
Microsoft Patch Tuesday, May 2023 Edition
blogs_krebs·2023-05-10·CVSS 6.7
CVE-2023-29336 [MEDIUM] Microsoft Patch Tuesday, May 2023 Edition
Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.
First up in May’s zero-day flaws is CVE-2023-29336 , which is an “elevation of privilege” weakness in Windows which has a low attack complexity, requires low privileges, and no user interaction. However, as the SANS Internet Storm Center points out , the attack vector for this bug is local.
“Local Privilege escalation vulnerabilities are a key part of attackers’ objectives,” said Kevin Breen , director of cyber threat research at Immersive Labs . “Once they gain initial access they will seek administrative or SYSTEM-level permissions. This can allow th
Krebs
Microsoft Patch Tuesday, May 2023 Edition
blogs_krebs·2023-05-10·CVSS 6.7
CVE-2023-29336 [MEDIUM] Microsoft Patch Tuesday, May 2023 Edition
Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.
First up in May’s zero-day flaws is CVE-2023-29336, which is an “elevation of privilege” weakness in Windows which has a low attack complexity, requires low privileges, and no user interaction. However, as the SANS Internet Storm Center points out, the attack vector for this bug is local.
“Local Privilege escalation vulnerabilities are a key part of attackers’ objectives,” said Kevin Breen, director of cyber threat research at Immersive Labs. “Once they gain initial access they will seek administrative or SYSTEM-level permissions. This can allow the at
Talos
Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years
blogs_talos·2023-05-09·CVSS 9.8
[CRITICAL] Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years
## Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years
Microsoft disclosed 40 vulnerabilities across its suite of products and software Tuesday, the fewest the company’s included in a Patch Tuesday since December 2019.
However, two of the vulnerabilities is being actively exploited in the wild, according to Microsoft, the fourth month in a row in which this is the case for the monthly roundup of security issues.
In all, this Patch Tuesday includes seven critical vulnerabilities and 33 that are considered “important.”
One of the zero-day vulnerabilities included this month is CVE-2023-29336 , an elevation of privilege vulnerability in the Win32k kernel mode driver. An adversary could exploit this vulnerability to gain SYSTEM privileges.
Qualys
Microsoft and Adobe Patch Tuesday, May 2023 Security Update Review
blogs_qualys·2023-05-09
Microsoft and Adobe Patch Tuesday, May 2023 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for May 2023
Adobe Patches for May 2023
Zero-day Vulnerabilities Patched in May Patch Tuesday Edition
Other Critical Severity Vulnerabilities Patched in May Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
Qualys Monthly Webinar Series
This Month in Vulnerabilities & Patches
Microsoft has addressed 49 vulnerabilities in its May Patch Tuesday edition. The security advisories cover various vulnerabilities in different produc
Talos
Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years
blogs_talos·2023-05-09·CVSS 9.8
[CRITICAL] Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years
Microsoft disclosed 40 vulnerabilities across its suite of products and software Tuesday, the fewest the company’s included in a Patch Tuesday since December 2019.
However, two of the vulnerabilities is being actively exploited in the wild, according to Microsoft, the fourth month in a row in which this is the case for the monthly roundup of security issues.
In all, this Patch Tuesday includes seven critical vulnerabilities and 33 that are considered “important.”
One of the zero-day vulnerabilities included this month is CVE-2023-29336, an elevation of privilege vulnerability in the Win32k kernel mode driver. An adversary could exploit this vulnerability to gain SYSTEM privileges.
The most serious vulnerability disclosed Tuesday is CVE-2023-24941, a remote code execution vulnerability
Qualys
Microsoft Patch Tuesday, May 2023 Security Update Review | Qualys
blogs_qualys·2023-05-09
Microsoft Patch Tuesday, May 2023 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for May 2023
- Adobe Patches for May 2023
- Zero-day Vulnerabilities Patched in May Patch Tuesday Edition
- Other Critical Severity Vulnerabilities Patched in May Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
- Qualys Monthly Webinar Series
- This Month in Vulnerabilities & Patches
Microsoft has addressed 49 vulnerabilities in its May Patch Tuesday edition. The security advisories cover various vulnerabilities in d
Tenable
Microsoft’s May 2023 Patch Tuesday Addresses 38 CVEs (CVE-2023-29336)
blogs_tenable·2023-05-09·CVSS 7.8
[HIGH] Microsoft’s May 2023 Patch Tuesday Addresses 38 CVEs (CVE-2023-29336)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Crowdstrike
May 2023 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] May 2023 Patch Tuesday: Updates and Analysis
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
2023-05-09
Published