CVE-2023-36874

HIGH KEV

Windows Error Reporting Service - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-36874 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 11, 2023. EIP tracks 6 public exploits from researchers including Wh04m1001, Octoberfest7, d0rb, including a Metasploit module exploits/windows/local/win_error_cve_2023_36874.

AI-analyzed exploit summary This PoC exploits CVE-2023-36874, a Windows Error Reporting (WER) vulnerability, by creating symbolic links and manipulating directory objects to achieve local privilege escalation. The exploit involves COM object manipulation and symbolic link abuse to execute arbitrary code with elevated privileges.

Description

Windows Error Reporting Service Elevation of Privilege Vulnerability

Exploits (6)

nomisec WORKING POC 239 stars
by Wh04m1001 · local
https://github.com/Wh04m1001/CVE-2023-36874

This PoC exploits CVE-2023-36874, a Windows Error Reporting (WER) vulnerability, by creating symbolic links and manipulating directory objects to achieve local privilege escalation. The exploit involves COM object manipulation and symbolic link abuse to execute arbitrary code with elevated privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Error Reporting (WER) on vulnerable Windows versions (e.g., Windows 10 19045.2006)
No auth needed
Prerequisites: Vulnerable Windows system with WER enabled · Ability to execute code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 205 stars
by Octoberfest7 · local
https://github.com/Octoberfest7/CVE-2023-36874_BOF

This is a CobaltStrike BOF implementation of CVE-2023-36874, a Windows Error Reporting LPE exploit. It drops a user-specified EXE to disk and triggers the vulnerability to execute it as SYSTEM.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 10 and Windows 11 21H1 - 22H2
Auth required
Prerequisites: Low-privileged user access · CobaltStrike Beacon · Unpatched Windows system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 77 stars
by d0rb · poc
https://github.com/d0rb/CVE-2023-36874

This PoC demonstrates a vulnerability in Windows Error Reporting (WER) by leveraging COM interfaces to trigger an exploit via report submission. The code initializes COM, interacts with WER components, and submits a report to exploit CVE-2023-36874.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Windows Error Reporting (WER) component
No auth needed
Prerequisites: Access to a vulnerable Windows system with WER component
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by crisprss · local
https://github.com/crisprss/CVE-2023-36874

This PoC exploits CVE-2023-36874 by creating a symbolic link to redirect system paths, allowing arbitrary code execution via a malicious 'wermgr.exe'. It leverages COM interfaces to trigger the vulnerability in Windows Error Reporting (WER).

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (specific version not specified)
No auth needed
Prerequisites: Local access to the target system · Ability to create directories and files in specific paths
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Filip Dragović (Wh04m1001), Octoberfest7, bwatters-r7 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/win_error_cve_2023_36874.rb

This Metasploit module exploits CVE-2023-36874, a local privilege escalation vulnerability in Windows Error Reporting (WER). It manipulates directory paths to coerce WER into executing an arbitrary payload as SYSTEM by creating a shadow directory structure and uploading a malicious 'wermgr.exe'.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (tested on 22H2)
Auth required
Prerequisites: Local access to the target system · Non-admin user session · Windows Error Reporting (WER) enabled
devstral-2 · analyzed Feb 19, 2026 Full analysis →
patchapalooza WORKING POC
by Adrien_CHAMUSSY · local
https://gitlab.com/Adrien_CHAMUSSY/cve-2023-36874

This repository contains a functional exploit for CVE-2023-36874, leveraging symbolic link manipulation and COM object interactions to achieve local privilege escalation. The exploit creates a malicious WER report and manipulates directory objects to escalate privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Error Reporting (WER)
Auth required
Prerequisites: Local access to the target system · Ability to create files and directories
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.7022
EPSS Percentile 98.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2023-07-11
VulnCheck KEV 2023-06-30
InTheWild.io 2023-06-30
ENISA EUVD EUVD-2023-40794
CWE
CWE-59
Status published
Products (14)
microsoft/windows_10_1507 < 10.0.10240.20048
microsoft/windows_10_1607 < 10.0.14393.6085 (2 CPE variants)
microsoft/windows_10_1809 < 10.0.17763.4645 (4 CPE variants)
microsoft/windows_10_21h2 < 10.0.19041.3208
microsoft/windows_10_22h2 < 10.0.19045.3208
microsoft/windows_11_21h2 < 10.0.22000.2176
microsoft/windows_11_22h2 < 10.0.22621.1992
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1
microsoft/windows_server_2012
... and 4 more
Published Jul 11, 2023
KEV Added Jul 11, 2023
Tracked Since Feb 18, 2026