CVE-2023-28229

HIGH KEV

Windows CNG Key Isolation Service - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2023-28229 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 4, 2023. EIP tracks 2 public exploits from researchers including Y3A, byt3n33dl3.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-28229, a Windows CNG Key Isolation RPC EoP vulnerability. The exploit leverages a use-after-free (UAF) condition to achieve privilege escalation by spraying and manipulating provider objects to execute arbitrary code via LoadLibraryW.

Description

Windows CNG Key Isolation Service Elevation of Privilege Vulnerability

Exploits (2)

nomisec WORKING POC 137 stars

by Y3A · local

https://github.com/Y3A/CVE-2023-28229

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-28229, a Windows CNG Key Isolation RPC EoP vulnerability. The exploit leverages a use-after-free (UAF) condition to achieve privilege escalation by spraying and manipulating provider objects to execute arbitrary code via LoadLibraryW.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Windows CNG Key Isolation Service

No auth needed

Prerequisites: Access to a vulnerable Windows system with the CNG Key Isolation Service running

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1211 - Exploitation for Defense Evasion

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 5 stars

by byt3n33dl3 · local

https://github.com/byt3n33dl3/CrackKeyIso

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-28229, a Windows CNG KeyIso RPC vulnerability. The exploit leverages a use-after-free (UAF) condition to achieve local privilege escalation (LPE) by spraying and manipulating provider objects to execute arbitrary code via LoadLibraryW.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Windows CNG KeyIso RPC Service

No auth needed

Prerequisites: Local access to the target system · Ability to compile and execute the exploit code

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28229

Patch, Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28229

Scores

CVSS v3 7.0

EPSS 0.0187

EPSS Percentile 76.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2023-10-04

VulnCheck KEV 2023-10-04

InTheWild.io 2023-10-04

ENISA EUVD EUVD-2023-31937

CWE

CWE-591

Status published

Products (15)

microsoft/windows_10_1507 < 10.0.10240.19869

microsoft/windows_10_1607 < 10.0.14393.5850

microsoft/windows_10_1809 < 10.0.17763.4252

microsoft/windows_10_20h2 < 10.0.19042.2846

microsoft/windows_10_21h2 < 10.0.19044.2846

microsoft/windows_10_22h2 < 10.0.19045.2846

microsoft/windows_11_21h2 < 10.0.22000.1817

microsoft/windows_11_22h2 < 10.0.22621.1555

microsoft/windows_server_2008

microsoft/windows_server_2008 r2 sp1

... and 5 more

Published Apr 11, 2023

KEV Added Oct 04, 2023

Tracked Since Feb 18, 2026