cbcvebase.
CVE-2023-28231
published 2023-04-11

CVE-2023-28231: DHCP Server Service Remote Code Execution Vulnerability

PriorityP261high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
EPSS
36.87%
98.3th percentile
DHCP Server Service Remote Code Execution Vulnerability

Affected

17 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2008_r2_service_pack_1>= 6.1.7601.0 < 6.1.7601.264666.1.7601.26466
microsoftwindows_server_2008_service_pack_2>= 6.0.6003.0 < 6.0.6003.220156.0.6003.22015
microsoftwindows_server_2012
microsoftwindows_server_2012>= 6.2.9200.0 < 6.2.9200.242166.2.9200.24216
microsoftwindows_server_2012_r2>= 6.3.9600.0 < 6.3.9600.209196.3.9600.20919
microsoftwindows_server_2016>= 10.0.14393.0 < 10.0.14393.585010.0.14393.5850
microsoftwindows_server_2019>= 10.0.17763.0 < 10.0.17763.425210.0.17763.4252
microsoftwindows_server_2022>= 10.0.20348.0 < 10.0.20348.166810.0.20348.1668
msrcwindows_server_2008_for_32-bit_systems_service_pack_2
msrcwindows_server_2008_for_x64-based_systems_service_pack_2
msrcwindows_server_2008_r2_for_x64-based_systems_service_pack_1
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_server_2019
msrcwindows_server_2022

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit vector is adjacent network (AV:A) — monitor for unexpected or malformed DHCP requests originating from within the local network segment targeting Windows DHCP Server service
  • Detect specially crafted calls to the DHCP service from unauthenticated sources on the local network; anomalous DHCP traffic patterns (malformed or unexpected option fields) should be flagged
  • CVE-2023-28231 is a DHCPv6 RCE flaw — monitor for unusual DHCPv6 traffic (UDP port 546/547) on Windows Server systems running the DHCP Server Service
  • ·Attack vector is Adjacent Network (AV:A), meaning the attacker must already have access to the restricted/local network segment before exploitation — this is not a remote internet-facing attack
  • ·As of the advisory publication, the vulnerability had not been publicly disclosed or exploited in the wild, though Microsoft rated it 'Exploitation More Likely'

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.