Fix Soon

CVE-2023-36874

Local Privilege Escalation in Microsoft Windows

Summary

Microsoft Windows Error Reporting Service contains a local privilege escalation flaw that can let a standard user run code as SYSTEM. CrowdStrike described an exploit flow that plants a crafted WER report and a fake wermgr.exe in a user-writable path, then triggers the WER processing chain so the service follows the redirected path and launches attacker-controlled code. Successful exploitation can give an attacker full control of the affected Windows host.

Why Fix Soon?

5/6

Domain user required (treated as pre-auth on internal network)

Internal deployment

No user interaction needed

Exploitable in default configuration

Active exploitation in the wild

High impact vulnerability

Exploitation Details

Type

LPE (Local Privilege Escalation)

Is exploitable with default configuration?

Yes

Is authentication needed?

Yes

domain user

PoC / Exploit

Yes

github.com

Impact

Execute arbitrary code as SYSTEM on the local Windows host.

Privilege Escalation

Exploitation Requirements

Authentication required (domain user)

Exploitation Process

A low-privilege local user prepares an attacker-controlled WER report directory and places a fake wermgr.exe in a writable location. The attacker then creates the file-system redirection or alternate directory structure needed for WER to resolve the service launch path into the attacker-controlled copy. When WER loads and submits the crafted report, it starts the malicious executable with the service's elevated context, which the exploit commonly turns into a SYSTEM shell or privileged scheduled task.

Detection Resources

Manual Detection

Script Detection

Scanner Detection

Tenable Nessus

Affected Software

Vendor:Microsoft

Product	Affected Versions
Microsoft Windows	Windows 10 1507 (< 10.0.10240.20048), 1607 (< 10.0.14393.6085), 1809 (< 10.0.17763.4645), 21H2 (< 10.0.19041.3208), 22H2 (< 10.0.19045.3208); Windows 11 21H2 (< 10.0.22000.2176), 22H2 (< 10.0.22621.1992); Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016 (< 10.0.14393.6085), 2019 (< 10.0.17763.4645), 2022 (< 10.0.20348.1850)

Description

Microsoft Windows is the desktop and server operating system used across enterprise endpoints and infrastructure, including built-in system services such as Windows Error Reporting.

Deployment:Typically internal

Protocol:Local

Ports:—

Affected ComponentWindows Error Reporting Service report loading and parser launch path, including the wermgr.exe execution flow.

Windows Error Reporting Service report loading and parser launch path, including the wermgr.exe execution flow.

Enterprise Usage

Very Low

Low

Medium

High

Very High

Vendor Size:Big

Vendor Notifications

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36874

Remediation

Workaround

Not available

Patch

Not available

Update

Install the Microsoft security update released in July 2023 or later for the affected Windows release.

msrc.microsoft.com

Threat Intelligence

EPSS Score67.7%

Probability of exploitation in the next 30 days

EPSS Percentile99%

Worse than 99% of all CVEs

Last updated: Loading...

CISA KEV

Listed

Active Exploitation

Active

crowdstrike.com

Threat Actors

No known threat actors

Detection Rules3

Sigma

Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution

Sigma

Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation

Sigma

Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Windows Error Reporting Service Elevation of Privilege Vulnerability

CVSS Base Score

7.8

High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)

Physical

Local

Adjacent

Network

Attack Complexity (AC)

High

Low

Privileges Required (PR)

High

Low

None

User Interaction (UI)

Required

None

Scope (S)

Unchanged

Changed

Confidentiality (C)

None

Low

High

Integrity (I)

None

Low

High

Availability (A)

None

Low

High

CWE:CWE-59 Link Following

NVD:CVE-2023-36874

Version From:—

Version Upto:10.0.10240.20048, 10.0.14393.6085, 10.0.14393.6085, 10.0.17763.4645, 10.0.17763.4645, 10.0.17763.4645, 10.0.17763.4645, 10.0.19041.3208, 10.0.19045.3208, 10.0.22000.2176, 10.0.22621.1992, 10.0.14393.6085, 10.0.17763.4645, 10.0.20348.1850

Affected Software (CPE) (18)

•cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*
•cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
•cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:arm64:*
•cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
•cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
•cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
•cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*

Sources

Source	Article
msrc.microsoft.com	Security Update Guide for CVE-2023-36874
crowdstrike.com	Discovering and Blocking a Zero-Day Exploit with CrowdStrike Falcon Complete
nvd.nist.gov	CVE-2023-36874 Detail
github.com	GitHub Advisory Database for CVE-2023-36874
rapid7.com	Patch Tuesday - July 2023
tenable.com	CVE-2023-36874
detection.fyi	Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
detection.fyi	Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
detection.fyi	Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
cisa.gov	Known Exploited Vulnerabilities Catalog

Priority History

Fix SoonLoading...

Initial analysis