CVE-2023-36884

HIGH KEV RANSOMWARE

Microsoft Windows Search - Remote Code Execution

Title source: manual

Exploitation Summary

CVE-2023-36884 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 17, 2023, with confirmed use in ransomware campaigns. EIP tracks 9 public exploits from researchers including jakabakos, Maxwitat, tarraschk.

AI-analyzed exploit summary This PoC generates a malicious DOCX file with an embedded RTF altChunk containing a linked OLE object. The exploit leverages CVE-2023-36884 to achieve RCE via crafted Office documents, as used in the Storm-0978 phishing campaign.

Description

Windows Search Remote Code Execution Vulnerability

Exploits (9)

nomisec WORKING POC 41 stars

by jakabakos · client-side

https://github.com/jakabakos/CVE-2023-36884-MS-Office-HTML-RCE

View Code ZIP pw:eip

This PoC generates a malicious DOCX file with an embedded RTF altChunk containing a linked OLE object. The exploit leverages CVE-2023-36884 to achieve RCE via crafted Office documents, as used in the Storm-0978 phishing campaign.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Office (OOXML documents)

No auth needed

Prerequisites: Python environment with python-docx and pywin32 · Microsoft Word installed for OLE object insertion · Victim interaction to open the document

MITRE ATT&CK

T1566.001 - Spearphishing Attachment T1204.002 - Malicious File

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 27 stars

by Maxwitat · poc

https://github.com/Maxwitat/CVE-2023-36884-Scripts-for-Intune-Remediation-SCCM-Compliance-Baseline

View Code ZIP pw:eip

This repository contains PowerShell scripts for detecting and remediating CVE-2023-36884, a vulnerability in Microsoft Office. The scripts check and set registry keys to mitigate the vulnerability by blocking cross-protocol file navigation.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Office (various versions)

Auth required

Prerequisites: Administrative access to modify registry keys

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 15 stars

by tarraschk · poc

https://github.com/tarraschk/CVE-2023-36884-Checker

View Code ZIP pw:eip

This repository contains PowerShell scripts to check, apply, and remove registry-based mitigations for CVE-2023-36884, a vulnerability in Microsoft Office applications. The scripts verify or modify registry keys to block cross-protocol file navigation as recommended by Microsoft.

Classification

Scanner 100%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Office applications (Excel, Graph, MSAccess, MSPub, PowerPnt, Visio, WinProj, WinWord, Wordpad)

No auth needed

Prerequisites: Access to the target system's registry · PowerShell execution rights (admin rights for mitigation scripts)

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 2 stars

by ridsoliveira · poc

https://github.com/ridsoliveira/Fix-CVE-2023-36884

View Code ZIP pw:eip

This repository provides a PowerShell script to mitigate CVE-2023-36884 by configuring registry keys as recommended by Microsoft. It is not an exploit but a defensive measure.

Classification

Writeup 100%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Windows (multiple Office applications)

Auth required

Prerequisites: Administrative access to modify registry keys

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by zerosorai · poc

https://github.com/zerosorai/CVE-2023-36884

View Code ZIP pw:eip

This PoC mitigates CVE-2023-36884 by setting registry values to block cross-protocol file navigation in Microsoft Office applications. It modifies the registry to disable the vulnerability in applications like Word, Excel, and PowerPoint.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Office applications (Word, Excel, PowerPoint, etc.)

Auth required

Prerequisites: Administrative privileges to modify registry keys

MITRE ATT&CK

T1112 - Modify Registry

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 1 stars

by raresteak · poc

https://github.com/raresteak/CVE-2023-36884

View Code ZIP pw:eip

This repository contains only a README.md with references to Microsoft documentation and a hashtag mentioning Storm-0978, but no actual exploit code or technical details. It appears to be a placeholder or informational writeup.

Classification

Writeup 30%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: Microsoft Internet Explorer 9

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 1 stars

by deepinstinct · poc

https://github.com/deepinstinct/Storm0978-RomCom-Campaign

View Code ZIP pw:eip

This repository contains a writeup about a campaign abusing CVE-2023-36884, with no actual exploit code provided. It includes a disclaimer and references to the Storm0978 RomCom campaign.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec NO CODE

by ToddMaxey · poc

https://github.com/ToddMaxey/CVE-2023-36884

View Code ZIP pw:eip

nomisec WORKING POC

by or2me · poc

https://github.com/or2me/CVE-2023-36884_patcher

View Code ZIP pw:eip

This repository contains a C# application that applies a registry-based patch to mitigate CVE-2023-36884, a vulnerability in Microsoft Office. The tool checks for administrative privileges and Office installation before applying the patch.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Office 2016 and later

Auth required

Prerequisites: Administrator privileges · Microsoft Office installed

MITRE ATT&CK

T1112 - Modify Registry

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Broken Link, Mailing List, Third Party Advisory

http://seclists.org/fulldisclosure/2023/Jul/43

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-36884

Patch, Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

Scores

CVSS v3 7.5

EPSS 0.9908

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2023-07-17

VulnCheck KEV 2023-07-05

InTheWild.io 2023-07-05

ENISA EUVD EUVD-2023-40804

Ransomware Use Confirmed

CWE

CWE-362

Status published

Products (14)

microsoft/windows_10_1507 < 10.0.10240.20107

microsoft/windows_10_1607 < 10.0.14393.6167 (2 CPE variants)

microsoft/windows_10_1809 < 10.0.17763.4737 (3 CPE variants)

microsoft/windows_10_21h2 < 10.0.19044.3324

microsoft/windows_10_22h2 < 10.0.19044.3324

microsoft/windows_11_21h2 < 10.0.22000.2295

microsoft/windows_11_22h2 < 10.0.22621.2134

microsoft/windows_server_2008

microsoft/windows_server_2008 r2 sp1

microsoft/windows_server_2012

... and 4 more

Published Jul 11, 2023

KEV Added Jul 17, 2023

Tracked Since Feb 18, 2026