cbcvebase.
CVE-2023-32046
published 2023-07-11

CVE-2023-32046: Windows MSHTML Platform Elevation of Privilege Vulnerability

PriorityP180high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-08-01
Exploited in the wild
EPSS
9.08%
94.7th percentile
Windows MSHTML Platform Elevation of Privilege Vulnerability

Affected

38 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10_1507< 10.0.10240.2004810.0.10240.20048
microsoftwindows_10_1607< 10.0.14393.608510.0.14393.6085
microsoftwindows_10_1809< 10.0.17763.464510.0.17763.4645
microsoftwindows_10_21h2< 10.0.19041.320810.0.19041.3208
microsoftwindows_10_22h2< 10.0.19045.320810.0.19045.3208
microsoftwindows_10_version_1507>= 10.0.10240.0 < 10.0.10240.2004810.0.10240.20048
microsoftwindows_10_version_1607>= 10.0.14393.0 < 10.0.14393.608510.0.14393.6085
microsoftwindows_10_version_1809>= 10.0.0 < 10.0.17763.464510.0.17763.4645
microsoftwindows_10_version_1809>= 10.0.17763.0 < 10.0.17763.464510.0.17763.4645
microsoftwindows_10_version_21h2>= 10.0.19043.0 < 10.0.19044.320810.0.19044.3208
microsoftwindows_10_version_22h2>= 10.0.19045.0 < 10.0.19045.320810.0.19045.3208
microsoftwindows_11_21h2< 10.0.22000.217610.0.22000.2176
microsoftwindows_11_22h2< 10.0.22621.199210.0.22621.1992
microsoftwindows_11_version_21h2>= 10.0.0 < 10.0.22000.217610.0.22000.2176
microsoftwindows_11_version_22h2>= 10.0.22621.0 < 10.0.22621.199210.0.22621.1992
microsoftwindows_server_2008
microsoftwindows_server_2008_r2_service_pack_1>= 6.1.7601.0 < 6.1.7601.266236.1.7601.26623
microsoftwindows_server_2008_service_pack_2>= 6.0.6003.0 < 6.0.6003.221756.0.6003.22175
microsoftwindows_server_2012
microsoftwindows_server_2012>= 6.2.9200.0 < 6.2.9200.243746.2.9200.24374
microsoftwindows_server_2012_r2>= 6.3.9600.0 < 6.3.9600.210636.3.9600.21063
microsoftwindows_server_2016>= 10.0.14393.0 < 10.0.14393.608510.0.14393.6085
microsoftwindows_server_2019>= 10.0.17763.0 < 10.0.17763.464510.0.17763.4645
microsoftwindows_server_2022>= 10.0.20348.0 < 10.0.20348.185010.0.20348.1850
msrcwindows_10

Detection & IOCsextracted from sources · hover to see the quote

hash07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d
hash1a7bb878c826fe0ca9a0677ed072ee9a57a228a09ee02b3c5bd00f54f354930f
hash3a3138c5add59d2172ad33bc6761f2f82ba344f3d03a2269c623f22c1a35df97
hasha61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f
hashe7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539
ip74.50.94.156
ip104.234.239.26
ip94.232.40.34
ip66.23.226.102
filenamestart.xml
registryHKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION
  • Detect suspicious child processes spawned by Microsoft Office applications on Windows, which may indicate exploitation of CVE-2023-32046 or related vulnerabilities.
  • The exploit requires a user to open a specially crafted file delivered via email or a malicious/compromised website. Monitor for Office applications opening files from untrusted locations and subsequently making network connections.
  • The IP addresses associated with Storm-0978/RomCom activity are known to host TOR/VPN infrastructure. Monitor outbound connections to these IPs from Office processes.
  • ·The SHA-256 hashes and IP addresses listed are associated with the broader Storm-0978/RomCom campaign (primarily CVE-2023-36884). They are reported alongside CVE-2023-32046 as related IOCs but may not be exclusively tied to CVE-2023-32046 exploitation.
  • ·The MSHTML platform remains active and exploitable even on systems where Internet Explorer 11 has been retired, because it is still used by IE mode in Edge, WebBrowser control, and other legacy applications.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.