CVE-2023-28231
published 2023-04-11CVE-2023-28231: DHCP Server Service Remote Code Execution Vulnerability
PriorityP261high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
EPSS
36.87%
98.3th percentile
DHCP Server Service Remote Code Execution Vulnerability
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2008_r2_service_pack_1 | >= 6.1.7601.0 < 6.1.7601.26466 | 6.1.7601.26466 |
| microsoft | windows_server_2008_service_pack_2 | >= 6.0.6003.0 < 6.0.6003.22015 | 6.0.6003.22015 |
| microsoft | windows_server_2012 | — | — |
| microsoft | windows_server_2012 | >= 6.2.9200.0 < 6.2.9200.24216 | 6.2.9200.24216 |
| microsoft | windows_server_2012_r2 | >= 6.3.9600.0 < 6.3.9600.20919 | 6.3.9600.20919 |
| microsoft | windows_server_2016 | >= 10.0.14393.0 < 10.0.14393.5850 | 10.0.14393.5850 |
| microsoft | windows_server_2019 | >= 10.0.17763.0 < 10.0.17763.4252 | 10.0.17763.4252 |
| microsoft | windows_server_2022 | >= 10.0.20348.0 < 10.0.20348.1668 | 10.0.20348.1668 |
| msrc | windows_server_2008_for_32-bit_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_for_x64-based_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_r2_for_x64-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
| msrc | windows_server_2022 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit vector is adjacent network (AV:A) — monitor for unexpected or malformed DHCP requests originating from within the local network segment targeting Windows DHCP Server service ↗
- →Detect specially crafted calls to the DHCP service from unauthenticated sources on the local network; anomalous DHCP traffic patterns (malformed or unexpected option fields) should be flagged ↗
- →CVE-2023-28231 is a DHCPv6 RCE flaw — monitor for unusual DHCPv6 traffic (UDP port 546/547) on Windows Server systems running the DHCP Server Service ↗
- ·Attack vector is Adjacent Network (AV:A), meaning the attacker must already have access to the restricted/local network segment before exploitation — this is not a remote internet-facing attack ↗
- ·As of the advisory publication, the vulnerability had not been publicly disclosed or exploited in the wild, though Microsoft rated it 'Exploitation More Likely' ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g8vr-9m8f-7hmc: DHCP Server Service Remote Code Execution Vulnerability
ghsa_unreviewed·2023-04-11
CVE-2023-28231 [HIGH] GHSA-g8vr-9m8f-7hmc: DHCP Server Service Remote Code Execution Vulnerability
DHCP Server Service Remote Code Execution Vulnerability
Microsoft
DHCP Server Service Remote Code Execution Vulnerability
vendor_msrc·2023-04-11·CVSS 8.8
CVE-2023-28231 [HIGH] CWE-122 DHCP Server Service Remote Code Execution Vulnerability
DHCP Server Service Remote Code Execution Vulnerability
FAQ: According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability?
Successful exploitation of this vulnerability requires that an attacker will need to first gain access to the restricted network before running an attack.
FAQ: How could an attacker exploit this vulnerability?
An unauthenticated attacker could leverage a specially crafted call to the DHCP service to exploit this vulnerability.
Windows DHCP Server: Windows DHCP Server
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation More Likely;DOS:N/A
Reference: https://catalog.update.microsoft.com/v7/site/Sear
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled, patch now
blogs_bleepingcomputer·2024-08-14·CVSS 9.8
[CRITICAL] Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled, patch now
## Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled, patch now
## Sergiu Gatlan
As Microsoft explained in its Tuesday advisory, unauthenticated attackers can exploit the flaw remotely in low-complexity attacks by repeatedly sending IPv6 packets that include specially crafted packets.
Microsoft also shared its exploitability assessment for this critical vulnerability, tagging it with an "exploitation more likely" label, which means that threat actors could create exploit code to "consistently exploit the flaw in attacks."
"Moreover, Microsoft is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created," Redmond explains .
"As such, customers w
Qualys
Microsoft and Adobe Patch Tuesday April 2023 Security Update Review | Qualys
blogs_qualys·2023-04-12
Microsoft and Adobe Patch Tuesday April 2023 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for April 2023
- Adobe Patches for April 2023
- Zero-day Vulnerability Patched in April Patch Tuesday Edition
- Other Critical Severity Vulnerabilities Patched in April Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
- Qualys Monthly Webinar Series
- This Month in Vulnerabilities & Patches
Microsoft released security updates to address 114 vulnerabilities in the April Patch Tuesday edition. The security advisories co
Krebs
Microsoft (& Apple) Patch Tuesday, April 2023 Edition
blogs_krebs·2023-04-12·CVSS 8.8
CVE-2023-28206 [HIGH] Microsoft (& Apple) Patch Tuesday, April 2023 Edition
Microsoft today released software updates to plug 100 security holes in its Windows operating systems and other software, including a zero-day vulnerability that is already being used in active attacks. Not to be outdone, Apple has released a set of important updates addressing two zero-day vulnerabilities that are being used to attack iPhones , iPads and Macs .
On April 7, Apple issued emergency security updates to fix two weaknesses that are being actively exploited, including CVE-2023-28206 , which can be exploited by apps to seize control over a device. CVE-2023-28205 can be used by a malicious or hacked website to install code.
Both vulnerabilities are addressed in iOS/iPadOS 16.4.1, iOS 15.7.5, and macOS 12.6.5 and 11.7.6 . If you use Apple devices and you don’t have automatic upda
Qualys
Microsoft and Adobe Patch Tuesday April 2023 Security Update Review
blogs_qualys·2023-04-12
Microsoft and Adobe Patch Tuesday April 2023 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for April 2023
Adobe Patches for April 2023
Zero-day Vulnerability Patched in April Patch Tuesday Edition
Other Critical Severity Vulnerabilities Patched in April Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
Qualys Monthly Webinar Series
This Month in Vulnerabilities & Patches
Microsoft released security updates to address 114 vulnerabilities in the April Patch Tuesday edition. The security advisories cover various vul
Talos
Microsoft Patch Tuesday for April 2023 — Snort rules and prominent vulnerabilities
blogs_talos·2023-04-11·CVSS 7.8
CVE-2023-28252 [HIGH] Microsoft Patch Tuesday for April 2023 — Snort rules and prominent vulnerabilities
## Microsoft Patch Tuesday for April 2023 — Snort rules and prominent vulnerabilities
Microsoft released its monthly round of security updates and patches today, continuing its trend of fixing zero-day vulnerabilities on Patch Tuesday.
April's security update includes one vulnerability that’s actively being exploited in the wild. There are also eight critical vulnerabilities and the remaining 90 are considered “important.”
CVE-2023-28252 , an elevation of privilege vulnerability in the Windows Common Log File System Driver, is actively being exploited in the wild, according to Microsoft, though proof of concept code is not currently available. An adversary could exploit this vulnerability to gain SYSTEM privileges.
The U.S. Cybersecurity and Infrastructure Security Agency already added
Talos
Microsoft Patch Tuesday for April 2023 — Snort rules and prominent vulnerabilities
blogs_talos·2023-04-11·CVSS 7.8
CVE-2023-28252 [HIGH] Microsoft Patch Tuesday for April 2023 — Snort rules and prominent vulnerabilities
Microsoft released its monthly round of security updates and patches today, continuing its trend of fixing zero-day vulnerabilities on Patch Tuesday.
April's security update includes one vulnerability that’s actively being exploited in the wild. There are also eight critical vulnerabilities and the remaining 90 are considered “important.”
CVE-2023-28252, an elevation of privilege vulnerability in the Windows Common Log File System Driver, is actively being exploited in the wild, according to Microsoft, though proof of concept code is not currently available. An adversary could exploit this vulnerability to gain SYSTEM privileges.
The U.S. Cybersecurity and Infrastructure Security Agency already added the vulnerability to its list of know exploited issues and urged federal agencies to pa
Tenable
Microsoft’s April 2023 Patch Tuesday Addresses 97 CVEs (CVE-2023-28252)
blogs_tenable·2023-04-11·CVSS 7.8
[HIGH] Microsoft’s April 2023 Patch Tuesday Addresses 97 CVEs (CVE-2023-28252)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Krebs
Microsoft (& Apple) Patch Tuesday, April 2023 Edition
blogs_krebs·2023-04-11·CVSS 8.8
CVE-2023-28206 [HIGH] Microsoft (& Apple) Patch Tuesday, April 2023 Edition
Microsoft today released software updates to plug 100 security holes in its Windows operating systems and other software, including a zero-day vulnerability that is already being used in active attacks. Not to be outdone, Apple has released a set of important updates addressing two zero-day vulnerabilities that are being used to attack iPhones, iPads and Macs.
On April 7, Apple issued emergency security updates to fix two weaknesses that are being actively exploited, including CVE-2023-28206, which can be exploited by apps to seize control over a device. CVE-2023-28205 can be used by a malicious or hacked website to install code.
Both vulnerabilities are addressed in iOS/iPadOS 16.4.1, iOS 15.7.5, and macOS 12.6.5 and 11.7.6. If you use Apple devices and you don’t have automatic updates
Crowdstrike
April 2023 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] April 2023 Patch Tuesday: Updates and Analysis
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
2023-04-11
Published