CVE-2023-36884: A Detailed Look at The Recent Microsoft Vulnerability

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


The cyber threat landscape is under the watchful eyes of threat actors, who are always seeking to exploit vulnerabilities for their gains. Microsoft recently flagged a sophisticated phishing campaign carried out by a threat actor known as Storm-0978. This meticulously crafted attack, specifically devised to exploit defense and government organizations in Europe and North America, leverages a potent remote code execution vulnerability, CVE-2023-36884, to breach defenses. This vulnerability was cunningly exploited via Word documents, baited with topics related to the Ukrainian World Congress - before its disclosure to Microsoft. 

During its recent Patch Tuesday release in July 2023, Microsoft acknowledged an actively exploited zero-day Office and Windows HTML remote code execution vulnerability – CVE-2023-36884 - awarding it an "important" severity rating. However, despite rolling out 130 patches, including four for vulnerabilities actively being exploited by attackers, a resolution for CVE-2023-36884 remains pending. Through this article, we seek to demystify this subject, elucidating on the specific character of the vulnerability, the potential impacts it carries, ways through which it can be mitigated, and methods to detect potential exploitation attempts.

Exploring CVE-2023-36884: Microsoft Office and Windows HTML RCE Vulnerability

CVE-2023-36884 is a critical security vulnerability discovered in Microsoft Office and Windows HTML. It embodies a type of threat known as 'Remote Code Execution', which essentially offers a means for an attacker to execute codes remotely, bypassing traditional system protections. The vulnerability entails the crafting of Microsoft Office documents to execute remote codes. Here's how it works: 

  • The attacker cleverly designs a document, which, when opened by an unsuspecting user, triggers a download of a malicious file. 
  • This downloaded file harbors a script, which, when activated, injects an iframe into the system. 
  • Eventually, this leads to a subsequent download of a malicious payload – the final nail in the coffin.

The Impact of CVE-2023-36884: Beyond Remote Code Execution

So what's the big deal with CVE-2023-36884? The answer is much more than you'd initially think. At first glance, it might seem like yet another security vulnerability - a dime a dozen in today's digital world. However, the true danger of this specific vulnerability lies in its impact - unauthorized execution of arbitrary code. Picture this: an attacker does not merely breach your system's defenses, but does so to the extent that the attacker can execute commands on your system without your knowledge or consent. In other words, an attacker can practically commandeer your system via this exploit, enabling unauthorized manipulation of your data or even executing malicious commands.

Who is Pulling the Strings? Which Threat Actors Exploit the CVE-2023-36884 Vulnerability?

Storm-0978, also cryptically known as RomCom, is the identified cybercriminal group believed to be exploiting CVE-2023-36884. Originating from Russia, this group has a notorious reputation for engaging in ransomware attacks and extortion-only operations. Beyond these potentially damaging operations, the group is also involved in targeted credential-gathering campaigns, with intel pointing towards supporting ulterior intelligence operations.

The Current Scenario: The Eye of the Storm

Microsoft first highlighted and identified the extent of CVE-2023-36884 in its July 2023 Patch Tuesday report as an actively exploited vulnerability – and it hasn’t stopped since. Most troublingly, this vulnerability has been continually exploited in a series of targeted attacks dominantly aimed at North American and European defense and government entities. This exemplifies the vulnerability's severity and highlights the urgent need for implementing remediation strategies and security updates.

The CVE-2023-36884 Exploit: A Strategic Ploy

The exploitation strategy hinging on CVE-2023-36884 demonstrates the capabilities of cybercriminals. It begins as an inconspicuous phishing attack: the delivery of a seemingly harmless Microsoft Office document. Each stage of the exploit has been expertly crafted: the document, when opened, can instigate the download of a malicious payload. This payload, once deployed, proceeds to compromise the system, delivering control of the attacked systems to the adversaries. What makes this specific exploit particularly concerning is its subtle nature; the victim only realizes the extent of the breach once total control of the system has been ceded to attackers.

Reacting Wisely: How Can You Protect Yourself?

Upon facing this cybersecurity threat, it's natural to wonder, "What actions can I take to safeguard myself?" Microsoft, the creator of the affected software, has proposed a number of defensive steps you can follow to enhance your security against the CVE-2023-36884 vulnerability.

Recommendation 1: 

One of these defense methods involves preventing your Office applications from spawning child processes. In simpler terms, a child process is a series of operations that an application runs in the background. By blocking these, you can create an extra layer of defense since the attacker needs these processes to exploit the vulnerability.

Recommendation 2:

In addition, another safety measure you can take is to modify the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key. This key can influence how your system interacts with different internet protocols. Adding the below Microsoft application names to this registry key can prevent the attackers from taking certain actions that can harm your system: Excel.exe, Graph.exe, MSAccess.exe, MSPub.exe, PowerPoint.exe Visio.exe, WinProj.exe, WinWord.exe, and Wordpad.exe.

Note that, the full path of this key is Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

Can You Detect a CVE-2023-36884 Exploitation Attempt?

Identification is the first step to remedying any cyber threat. For CVE-2023-36884, detecting exploitation attempts would involve scanning for abnormal behavior within Microsoft Office applications. Anomalies can signify exploitation attempts, cueing the need for a more in-depth analysis. A silver lining for Microsoft users, particularly those using Microsoft Defender for Office 365, is that attempts to exploit this vulnerability using tainted attachments are often flagged, providing an additional layer of safeguard against this persistent threat.

How Picus Helps Simulate CVE-2023-36884 and RomCom Threat Group Attacks?

Picus Threat Library includes the following threats for Bl00dy ransomware attacks:

Threat ID

Threat Name


CVE-2023-36884 RCE Vulnerability used by RomCom Threat Group .DOCX File Download Variant-1


CVE-2023-36884 RCE Vulnerability used by RomCom Threat Group .DOCX File Download Variant-2


CVE-2023-36884 RCE Vulnerability used by RomCom Threat Group .RTF File Download Variant-1