cbcvebase.
CVE-2023-36874
published 2023-07-11

CVE-2023-36874: Windows Error Reporting Service Elevation of Privilege Vulnerability

PriorityP183high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-08-01
Exploited in the wild
EPSS
32.31%
98.1th percentile
Windows Error Reporting Service Elevation of Privilege Vulnerability

Affected

41 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10_1507< 10.0.10240.2004810.0.10240.20048
microsoftwindows_10_1607< 10.0.14393.608510.0.14393.6085
microsoftwindows_10_1809< 10.0.17763.464510.0.17763.4645
microsoftwindows_10_21h2< 10.0.19041.320810.0.19041.3208
microsoftwindows_10_22h2< 10.0.19045.320810.0.19045.3208
microsoftwindows_10_version_1507>= 10.0.10240.0 < 10.0.10240.2004810.0.10240.20048
microsoftwindows_10_version_1607>= 10.0.14393.0 < 10.0.14393.608510.0.14393.6085
microsoftwindows_10_version_1809>= 10.0.0 < 10.0.17763.464510.0.17763.4645
microsoftwindows_10_version_1809>= 10.0.17763.0 < 10.0.17763.464510.0.17763.4645
microsoftwindows_10_version_21h2>= 10.0.19043.0 < 10.0.19044.320810.0.19044.3208
microsoftwindows_10_version_22h2>= 10.0.19045.0 < 10.0.19045.320810.0.19045.3208
microsoftwindows_11_21h2< 10.0.22000.217610.0.22000.2176
microsoftwindows_11_22h2< 10.0.22621.199210.0.22621.1992
microsoftwindows_11_version_21h2>= 10.0.0 < 10.0.22000.217610.0.22000.2176
microsoftwindows_11_version_22h2>= 10.0.22621.0 < 10.0.22621.199210.0.22621.1992
microsoftwindows_server_2008
microsoftwindows_server_2008_r2_service_pack_1>= 6.1.7601.0 < 6.1.7601.266236.1.7601.26623
microsoftwindows_server_2008_service_pack_2>= 6.0.6003.0 < 6.0.6003.221756.0.6003.22175
microsoftwindows_server_2012
microsoftwindows_server_2012>= 6.2.9200.0 < 6.2.9200.243746.2.9200.24374
microsoftwindows_server_2012_r2>= 6.3.9600.0 < 6.3.9600.210636.3.9600.21063
microsoftwindows_server_2016< 10.0.14393.608510.0.14393.6085
microsoftwindows_server_2016>= 10.0.14393.0 < 10.0.14393.608510.0.14393.6085
microsoftwindows_server_2019< 10.0.17763.464510.0.17763.4645
microsoftwindows_server_2019>= 10.0.17763.0 < 10.0.17763.464510.0.17763.4645

Detection & IOCsextracted from sources · hover to see the quote

hash07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d
hash1a7bb878c826fe0ca9a0677ed072ee9a57a228a09ee02b3c5bd00f54f354930f
hash3a3138c5add59d2172ad33bc6761f2f82ba344f3d03a2269c623f22c1a35df97
hasha61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f
hashe7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539
pathC:\Users\public\test\Windows\System32\wermgr.exe
pathC:\Users\Public\test\ProgramData\Microsoft\Windows\WER\ReportArchive\WER1CF4123
pathC:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue
filenameReport.wer
processwermgr.exe
other\??\C: -> \GLOBAL??\C:\Users\Public\Test (NtCreateSymbolicLink)
  • Hunt for child processes spawned by Microsoft Office applications on Windows — a key behavioral indicator of exploitation chaining CVE-2023-36884 with related zero-days.
  • Detect exploit activity by looking for a fake/attacker-controlled wermgr.exe placed under C:\Users\public\test\Windows\System32\ — a non-standard path used by the exploit kit to achieve privilege escalation via WER symbolic link abuse.
  • Monitor for NtCreateSymbolicLink calls that remap \??\C: to a user-controlled path such as \GLOBAL??\C:\Users\Public\Test — this is the core privilege escalation primitive used in the CVE-2023-36874 exploit.
  • Alert on WER report submission (IWerReport->SubmitReport) that references report archives located under user-writable paths (e.g., C:\Users\Public\) rather than the canonical C:\ProgramData\Microsoft\Windows\WER\ReportArchive\.
  • Exploit kit binaries were delivered via RDP from an unmanaged host; monitor for unusual binary drops followed by WER-related process activity originating from RDP sessions.
  • The exploit kit spawns cmd.exe and powershell_ise.exe as part of its execution chain; alert on these processes when parented by WER-related processes.
  • ·The exploit fails if the current user is a local administrator, because Windows will attempt impersonation and the privilege escalation path breaks. This exploit specifically targets non-admin users.
  • ·Some exploit kit binaries are packed; static hash-based detection alone may miss packed variants. Behavioral detection of the WER symbolic link abuse is more reliable.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.