cbcvebase.
CVE-2023-36584
published 2023-10-10

CVE-2023-36584: Windows Mark of the Web Security Feature Bypass Vulnerability

PriorityP279medium5.4CVSS 3.1
AVNACLPRNUIRSUCNILAL
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-12-07
Exploited in the wild
EPSS
3.06%
85.9th percentile
Windows Mark of the Web Security Feature Bypass Vulnerability

Affected

40 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10_1507< 10.0.10240.2023210.0.10240.20232
microsoftwindows_10_1809< 10.0.17763.497410.0.17763.4974
microsoftwindows_10_21h1< 10.0.19041.357010.0.19041.3570
microsoftwindows_10_22h2< 10.0.19041.357010.0.19041.3570
microsoftwindows_10_version_1507>= 10.0.10240.0 < 10.0.10240.2023210.0.10240.20232
microsoftwindows_10_version_1607>= 10.0.14393.0 < 10.0.14393.635110.0.14393.6351
microsoftwindows_10_version_1809>= 10.0.0 < 10.0.17763.497410.0.17763.4974
microsoftwindows_10_version_1809>= 10.0.17763.0 < 10.0.17763.497410.0.17763.4974
microsoftwindows_10_version_21h2>= 10.0.19043.0 < 10.0.19041.357010.0.19041.3570
microsoftwindows_10_version_22h2>= 10.0.19045.0 < 10.0.19045.357010.0.19045.3570
microsoftwindows_11_21h2< 10.0.22000.253810.0.22000.2538
microsoftwindows_11_22h2< 10.0.22621.242810.0.22621.2428
microsoftwindows_11_version_21h2>= 10.0.0 < 10.0.22000.253810.0.22000.2538
microsoftwindows_11_version_22h2>= 10.0.22621.0 < 10.0.22621.242810.0.22621.2428
microsoftwindows_server_2008
microsoftwindows_server_2008_r2_service_pack_1>= 6.1.7601.0 < 6.1.7601.267696.1.7601.26769
microsoftwindows_server_2008_service_pack_2>= 6.0.6003.0 < 6.0.6003.223176.0.6003.22317
microsoftwindows_server_2012
microsoftwindows_server_2012>= 6.2.9200.0 < 6.2.9200.245236.2.9200.24523
microsoftwindows_server_2012_r2>= 6.3.9600.0 < 6.3.9600.216206.3.9600.21620
microsoftwindows_server_2016< 10.0.14393.635110.0.14393.6351
microsoftwindows_server_2016>= 10.0.14393.0 < 10.0.14393.635110.0.14393.6351
microsoftwindows_server_2019< 10.0.17763.497410.0.17763.4974
microsoftwindows_server_2019>= 10.0.17763.0 < 10.0.17763.497410.0.17763.4974
microsoftwindows_server_2022< 10.0.20348.203110.0.20348.2031

Detection & IOCsextracted from sources · hover to see the quote

filenameOverview_of_UWCs_UkraineInNATO_campaign.docx
hasha61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f
urlhxxps://www.ukrainianworldcongress[.]info/sites/default/files/document/forms/2023/Overview_of_UWCs_UkraineInNATO_campaign.docx
domainukrainianworldcongress[.]info
ip104.234.239[.]26
url\\104.234.239[.]26\share1\MSHTML_C7\file001.url
ip74.50.94[.]156
urlhxxp://74.50.94[.]156/MSHTML_C7/start.xml
pathfile[:]//104.234.239[.]26/share1/MSHTML_C7/1/__file001.htm?d=__
filename2222.chm
filenamefile001.zip
filenameafchunk.rtf
  • The malicious .docx uses an altChunk element in word/document.xml to import an embedded RTF file (word/afchunk.rtf) containing malicious OLE objects — inspect DOCX archives for altChunk references pointing to internal RTF files.
  • The embedded RTF uses OLE autolink (objautlink) with objupdate to force object updates before display, triggering outbound SMB connections that leak NTLM credentials — detect objautlink+objupdate combinations in RTF files.
  • The OLE object class is Word.Document.8 with a LinkedObject structure pointing to an attacker-controlled SMB share — monitor for Word.Document.8 OLE objects referencing external UNC paths in RTF files.
  • A second OLE object uses the xmlfile class with an EmbeddedObject structure containing a URLMoniker to load a remote XML file over HTTP — detect xmlfile-class OLE objects with URLMoniker structures in RTF documents.
  • The attack leaks victim NTLM credentials via an outbound SMB connection to the attacker-controlled server at 104.234.239[.]26 — monitor for unexpected outbound SMB (port 445) connections to external IPs from Office processes.
  • ·Microsoft's own advisory rates the exploit likelihood as 'Exploitation Less Likely' and records no public disclosure or confirmed exploitation, which may affect prioritization decisions despite CISA KEV listing.
  • ·The MotW bypass only succeeds when the Word document is NOT tagged with MotW, which disables Protected View — detections relying solely on MotW tagging will not catch this exploit.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
vulncheck7.5HIGH
cisa5.4MEDIUM
vendor_msrc5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.