Image: CISA

CISA adds recently-announced Microsoft zero-day to exploited vulnerability catalog

The Cybersecurity and Infrastructure Security Agency added a recently revealed bug to its known exploited vulnerability list this week after Microsoft confirmed it was being used in attacks. 

CISA ordered all federal civilian agencies to patch CVE-2023-21674 by January 31. The bug –  first unveiled in Microsoft’s initial Patch Tuesday release of 2023 – affects the Windows Advanced Local Procedure Call (ALPC) and has a CVSS score of 8.8 out of a possible 10.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said. 

The Zero Day Initiative’s Dustin Child said bugs like this are “often paired with some form of code exaction to deliver malware or ransomware” and added that because it was reported to Microsoft by researchers from Avast, “that scenario seems likely here.”

Qualys’ Saeed Abbasi agreed that the bugs are “are frequently leveraged in tandem with malware or ransomware delivery” while others noted that there is a working proof of concept for the vulnerability.

Several cybersecurity experts spotlighted the vulnerability as the most concerning of the nearly 100 vulnerabilities revealed on Tuesday. 

Automox’s Gina Geisel warned that because it has both a low attack complexity and low privileges required, the vulnerability requires no user interaction to be exploited. 

“To exploit this vulnerability, an attacker would first have to log on to the system, run a specially crafted application, and then take control of the affected system," Geisel said. "A successful attacker could then run arbitrary code in the security context of the local system and install programs enabling them to view, change, or delete data, or, worse case, create new accounts with full user rights. With an official fix for the zero day released from Microsoft for Windows 10, Windows 11, 8.1, through Windows Server 2022, Automox recommends patching within 24 hours.”

Mike Walters, VP of Vulnerability and Threat Research at Action1, said the vulnerability is significant because it affects millions of organizations.

In addition to CVE-2023-21674, CISA added another Microsoft bug from November – CVE-2022-41080 – to its catalog of exploited vulnerabilities.

Among the 11 critical bugs announced on Tuesday by Microsoft, Abbasi spotlighted CVE-2023-21743 – an issue affecting the security features of Microsoft SharePoint Server – and CVE-2023-21763, a Microsoft Exchange Server vulnerability. 

“Both Sharepoint and Exchange are critical tools that many organizations use to collaborate and complete daily tasks – making these vulnerabilities extremely attractive in the eyes of an attacker,” Abbasi said. 

The Patch Tuesday was also notable, according to N-able’s Lewis Pope, because it included the final security update for the widely used Windows 7 Professional and Enterprise. 

Windows 8.1 has reached end of support, and Microsoft 365 applications will no longer be receiving security updates for Windows 7 or Windows 8 versions, Pope said. 

“This now firmly cements the idea of using Windows 7 or 8.1 in production environments as an unacceptable risk in any environment following basic cybersecurity best practices,” Pope said. 

“According to Microsoft, the proper action is to upgrade systems with compatible hardware to Windows 10 or decommission those systems in favor of modern, supported operating systems. While there are always caveats and special use cases, budgets for 2023 should include appropriate funding to migrate all operations from any unsupported operating system.”

The first Patch Tuesday of the year also included security releases from Adobe, SAP and more.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.