CVE-2023-29360
published 2023-06-14CVE-2023-29360: Microsoft Streaming Service Elevation of Privilege Vulnerability
PriorityP183high8.4CVSS 3.1
AVLACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-03-21
Exploited in the wild
EPSS
22.13%
97.4th percentile
Microsoft Streaming Service Elevation of Privilege Vulnerability
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10_1607 | < 10.0.14393.5989 | 10.0.14393.5989 |
| microsoft | windows_10_1809 | < 10.0.17763.4499 | 10.0.17763.4499 |
| microsoft | windows_10_21h2 | < 10.0.19044.3086 | 10.0.19044.3086 |
| microsoft | windows_10_22h2 | < 10.0.19045.3086 | 10.0.19045.3086 |
| microsoft | windows_10_version_1607 | >= 10.0.14393.0 < 10.0.14393.5989 | 10.0.14393.5989 |
| microsoft | windows_10_version_1809 | >= 10.0.0 < 10.0.17763.4499 | 10.0.17763.4499 |
| microsoft | windows_10_version_1809 | >= 10.0.17763.0 < 10.0.17763.4499 | 10.0.17763.4499 |
| microsoft | windows_10_version_21h2 | >= 10.0.19043.0 < 10.0.19044.3086 | 10.0.19044.3086 |
| microsoft | windows_10_version_22h2 | >= 10.0.19045.0 < 10.0.19045.3086 | 10.0.19045.3086 |
| microsoft | windows_11_21h2 | < 10.0.22000.2057 | 10.0.22000.2057 |
| microsoft | windows_11_22h2 | < 10.0.22621.1848 | 10.0.22621.1848 |
| microsoft | windows_11_version_21h2 | >= 10.0.0 < 10.0.22000.2057 | 10.0.22000.2057 |
| microsoft | windows_11_version_22h2 | >= 10.0.22621.0 < 10.0.22621.1848 | 10.0.22621.1848 |
| microsoft | windows_server_2016 | < 10.0.14393.5989 | 10.0.14393.5989 |
| microsoft | windows_server_2016 | >= 10.0.14393.0 < 10.0.14393.5989 | 10.0.14393.5989 |
| microsoft | windows_server_2019 | < 10.0.17763.4499 | 10.0.17763.4499 |
| microsoft | windows_server_2019 | >= 10.0.17763.0 < 10.0.17763.4499 | 10.0.17763.4499 |
| microsoft | windows_server_2022 | < 10.0.20348.1784 | 10.0.20348.1784 |
| microsoft | windows_server_2022 | >= 10.0.20348.0 < 10.0.20348.1787 | 10.0.20348.1787 |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_21h2 | — | — |
| msrc | windows_10_version_22h2 | — | — |
| msrc | windows_11_version_21h2 | — | — |
| msrc | windows_11_version_22h2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Raspberry Robin exploits CVE-2023-29360 via a 64-bit external executable (not embedded in the main 32-bit component) that lacks the heavy obfuscation typical of the rest of the malware — look for anomalous 64-bit child processes spawned from the main 32-bit Raspberry Robin payload. ↗
- →Detect DLL side-loading of aclui.dll alongside a signed OleView.exe delivered in a RAR archive — this is the Raspberry Robin initial access vector used in conjunction with CVE-2023-29360 exploitation. ↗
- →Monitor for NtTraceEvent API patching at runtime, which Raspberry Robin uses to evade Event Tracing for Windows (ETW) detection during privilege escalation. ↗
- →Alert on processes calling AbortSystemShutdownW or ShutdownBlockReasonCreate from non-system binaries — Raspberry Robin uses these APIs to prevent shutdown interruption during exploitation. ↗
- →Detect Raspberry Robin's C2 beaconing pattern: initial outbound connections to 60 hard-coded Tor v3 .onion domains (masquerading as well-known sites) before contacting real C2 — flag any process making Tor circuit connections to the listed onion domains. ↗
- →Flag use of PAExec.exe for lateral movement or payload download — Raspberry Robin switched from PsExec.exe to PAExec.exe to evade behavioral signatures. ↗
- →Detect checks against GetUserDefaultLangID and GetModuleHandleW first-byte comparisons — Raspberry Robin uses these to detect security product API hooks before proceeding with exploitation. ↗
- ·The CVE-2023-29360 exploit used by Raspberry Robin was deployed as an external 64-bit executable separate from the main malware body, and was first observed in the wild in August 2023 — before any public PoC was available on GitHub (PoC published September 24, 2023). Detections based solely on known public PoC signatures may miss the in-the-wild variant. ↗
- ·The exploit targets Windows 10 up through build number 22621; systems beyond this build or already patched with the June 2023 Patch Tuesday update are not vulnerable. ↗
- ·CISA confirmed no evidence that CVE-2023-29360 was used in ransomware attacks specifically, though it is actively exploited by Raspberry Robin which acts as an initial access broker for multiple crime groups. ↗
CVSS provenance
nvdv3.18.4HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.4HIGH
cisa8.4HIGH
vendor_msrc8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Streaming Service Untrusted Pointer Dereference Vulnerability
cisa·2024-02-29·CVSS 8.4
CVE-2023-29360 [HIGH] CWE-822 Microsoft Streaming Service Untrusted Pointer Dereference Vulnerability
Vulnerability: Microsoft Streaming Service Untrusted Pointer Dereference Vulnerability
Affected: Microsoft Streaming Service
Microsoft Streaming Service contains an untrusted pointer dereference vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29360 ;https://nvd.nist.gov/vuln/detail/CVE-2023-29360
Remediation Due Date: 2024-03-21
Microsoft
Microsoft Streaming Service Elevation of Privilege Vulnerability
vendor_msrc·2023-06-13·CVSS 8.4
CVE-2023-29360 [HIGH] CWE-822 Microsoft Streaming Service Elevation of Privilege Vulnerability
Microsoft Streaming Service Elevation of Privilege Vulnerability
FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability?
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Microsoft Streaming Service: Microsoft Streaming Service
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation More Likely
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5027222
Reference: https://support.microsoft.com/help/5027222
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5027225
Reference: https://support.microsoft.com/help/5027225
Reference: https://catalog.upd
GHSA
GHSA-mfpj-f925-v5gx: Windows TPM Device Driver Elevation of Privilege Vulnerability
ghsa_unreviewed·2023-06-14
CVE-2023-29360 [HIGH] CWE-822 GHSA-mfpj-f925-v5gx: Windows TPM Device Driver Elevation of Privilege Vulnerability
Windows TPM Device Driver Elevation of Privilege Vulnerability
VulnCheck
Microsoft Streaming Service Untrusted Pointer Dereference Vulnerability
vulncheck·2023·CVSS 8.4
CVE-2023-29360 [HIGH] CWE-822 Microsoft Streaming Service Untrusted Pointer Dereference Vulnerability
Microsoft Streaming Service Untrusted Pointer Dereference Vulnerability
Microsoft Streaming Service contains an untrusted pointer dereference vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges.
Affected: Microsoft Streaming Service
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.crowdstrike.com/explore/2026-global-threat-report
Exploit PoC: https://vulncheck.com/xdb/f4d98c781e76; https://vulncheck.com/xdb/4ff3cf601881; https://vulncheck.com/xdb
Project0
Project Zero RCA: CVE-2023-36802: Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
project_zero·CVSS 7.8
CVE-2023-36802 [HIGH] Project Zero RCA: CVE-2023-36802: Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
# CVE-2023-36802: Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
*Benoît Sevens*
## The Basics
**Disclosure or Patch Date:** September 12, 2023
**Product:** Windows
**Advisory:** https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36802
**Affected Versions:**
* Windows 10 without KB5030211 or KB5030214
* Windows 11 without KB5030219 or KB5030217
* Windows Server 2019 without KB5030214
* Windows Server 2022 without KB5030216 or KB503025
**First Patched Version:**
* Windows 10 with KB5030211 or KB5030214
* Windows 11 with KB5030219 or KB5030217
* Windows Server 2019 with KB5030214
* Windows Server 2022 with KB5030216 or KB503025
**Issue/Bug Report:** N/A
**Patch CL:** N/A
**Bug-Introducing CL:** N/A
**Reporter(s):**
* Guanghui Xia (@ze0r) with
No detection rules found.
No public exploits indexed.
Bleepingcomputer
CISA warns of Microsoft Streaming bug exploited in malware attacks
blogs_bleepingcomputer·2024-03-01·CVSS 8.4
CVE-2023-29360 [HIGH] CISA warns of Microsoft Streaming bug exploited in malware attacks
## CISA warns of Microsoft Streaming bug exploited in malware attacks
## Sergiu Gatlan
CISA ordered U.S. Federal Civilian Executive Branch (FCEB) agencies to secure their Windows systems against a high-severity vulnerability in the Microsoft Streaming Service (MSKSSRV.SYS) that's actively exploited in attacks.
The security flaw (tracked as CVE-2023-29360) is due to an untrusted pointer dereference weakness that enables local attackers to gain SYSTEM privileges in low-complexity attacks that don't require user interaction.
CVE-2023-29360 was found by Synactiv's Thomas Imbert in the Microsoft Streaming Service Proxy (MSKSSRV.SYS) and reported to Microsoft through Trend Micro's Zero Day Initiative. Redmond patched the bug during the June 2023 Patch Tuesday, with proof-of-concept exploit c
Bleepingcomputer
Raspberry Robin malware evolves with early access to Windows exploits
blogs_bleepingcomputer·2024-02-10
Raspberry Robin malware evolves with early access to Windows exploits
## Raspberry Robin malware evolves with early access to Windows exploits
## Bill Toulas
Recent versions of the Raspberry Robin malware are stealthier and implement one-day exploits that are deployed only on systems that are susceptible to them.
One-day exploits refer to code that leverages a vulnerability that the developer of the impacted software patched recently but the fix has either not been deployed to all clients or it has not been applied on all vulnerable systems.
From the moment the vendor discloses the vulnerability, which usually comes with publishing a patch, threat actors rush to create an exploit and use it before the fix propagates to a large number of systems.
According to a report from Check Point , Raspberry Robin has recently used at least two exploits for 1-day fl
Checkpoint
Raspberry Robin Keeps Riding the Wave of Endless 1-Days
blogs_checkpoint·2024-02-07
CVE-2023-36802 Raspberry Robin Keeps Riding the Wave of Endless 1-Days
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Raspberry Robin Keeps Riding the Wave of Endless 1-Days
## Key Findings
Two new 1-day LPE exploits were used by the Raspberry Robin worm before they were publicly disclosed, which means
Qualys
Microsoft and Adobe Patch Tuesday, June 2023 Security Update Review | Qualys
blogs_qualys·2023-06-13
Microsoft and Adobe Patch Tuesday, June 2023 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for June 2023
- Adobe Patches for June 2023
- Other Critical Severity Vulnerabilities Patched in June Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
- Qualys Monthly Webinar Series
Microsoft has released June’s edition of Patch Tuesday! This installment of security updates addressed 94 security vulnerabilities in various products, features, and roles.
## Microsoft Patch Tuesday for June 2023
No zero-day vulnerabil
Qualys
Microsoft and Adobe Patch Tuesday, June 2023 Security Update Review
blogs_qualys·2023-06-13
Microsoft and Adobe Patch Tuesday, June 2023 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for June 2023
Adobe Patches for June 2023
Other Critical Severity Vulnerabilities Patched in June Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
Qualys Monthly Webinar Series
Microsoft has released June’s edition of Patch Tuesday! This installment of security updates addressed 94 security vulnerabilities in various products, features, and roles.
## Microsoft Patch Tuesday for June 2023
No zero-day vulnerabilities known t
Zscaler
Zscaler found Windows Security Vulnerabilities | 06-13-2023
blogs_zscaler·CVSS 8.4
[HIGH] Zscaler found Windows Security Vulnerabilities | 06-13-2023
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
2023-06-14
Published
2024-02-29
Added to CISA KEV
Exploited in the wild