CVE-2023-28252

Vulnerability updated a month ago (2024-10-17T13:02:20.214Z)

Download STIX

Preview STIX

CVE-2023-28252 is a critical Elevation of Privilege vulnerability, affecting the Windows Common Log File System (CLFS) driver. This flaw was discovered by Kaspersky researchers while investigating zero-day vulnerabilities in Windows aimed at preventing user attacks. The vulnerability presents a significant risk to systems, with a high Qualitative Disaster Severity (QDS) score of 95 and a Common Vulnerability Scoring System (CVSS) score of 7.8, indicating its potential for severe impact on system integrity. The exploitation process of this vulnerability, CVE-2023-28252, bears a striking resemblance to another exploit, CVE-2023-23376. Microsoft assigned the identifier 'CVE-2023-28252' to this zero-day bug upon discovery. The threat actor initially gained access to the organization through a Qakbot infection, subsequently exploiting the Windows CLFS vulnerability to elevate their privileges on affected devices. Following the successful exploitation of CVE-2023-28252, the threat actor used Cobalt Strike and Pypykatz, a Python version of Mimikatz, to steal the credentials of two domain administrators. This action facilitated lateral movement to four domain controllers, further compromising the security of the organization's network. The discovery and subsequent analysis of this vulnerability underline the importance of continuous vigilance and timely patching in maintaining system security.

Description last updated: 2024-10-17T12:52:58.917Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Windows

Vulnerability

Microsoft

Exploit

Kaspersky

Exploits

exploited

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Nokoyawa Malware is associated with CVE-2023-28252. Nokoyawa is a prominent malware, specifically ransomware, that has been linked to numerous cybercrime activities since it first emerged in 2022. It has been associated with various other malware families including Quantum, Royal, BlackBasta, and a variety of others such as Emotet, IcedID, CobaltStri	has used	3

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2022-24521 Vulnerability is associated with CVE-2023-28252. CVE-2022-24521 is a software vulnerability discovered in 2022, characterized by a flaw in the software design or implementation. This specific vulnerability was exploited through modifications to BLF files and was one of four vulnerabilities (including CVE-2022-37969, CVE-2023-23376, and CVE-2023-28	Unspecified	3

Source Document References

Information about the CVE-2023-28252 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	4 months ago	Ransomware gangs exploit VMware ESXi bug CVE-2024-37085
Securelist	7 months ago	Analyzing the vulnerability landscape in Q1 2024
CERT-EU	10 months ago	Less than 1% vulnerabilities pose highest risk in 2023, finds Qualys
CERT-EU	a year ago	Windows CLFS Driver zero-days leveraged in ransomware attacks \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Carbanak Banking Malware Resurfaces with New Ransomware Tactics \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Windows CLFS and five exploits used by ransomware operators \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Ransomware Attackers Abuse Multiple Windows CLFS Driver Zero-Days \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
DARKReading	a year ago	Ransomware Attackers Abuse Multiple Windows CLFS Driver Zero-Days
CERT-EU	a year ago	Windows CLFS and five exploits used by ransomware operators (Exploit #2 – September 2022)
Securelist	a year ago	Windows CLFS and five exploits used by ransomware operators (Exploit #4 – CVE-2023-23376)
Securelist	a year ago	Windows CLFS and five exploits used by ransomware operators (Exploit #1 – CVE-2022-24521)
Securelist	a year ago	Windows CLFS and five exploits used by ransomware operators (Exploit #2 – September 2022)
Securelist	a year ago	Windows CLFS and five exploits used by ransomware operators (Exploit #5 – CVE-2023-28252)
Securelist	a year ago	Windows CLFS and five exploits used by ransomware operators
CERT-EU	a year ago	Windows CLFS and five exploits used by ransomware operators – GIXtools
CERT-EU	a year ago	Inside Farnetwork Operation: a Major RaaS Player
CERT-EU	a year ago	Search \| Tripwire
CERT-EU	a year ago	Qualys Survey of Top 10 Exploited Vulnerabilities in 2023 \| Qualys Security Blog
CERT-EU	a year ago	Heimdal®’s Semiannual Rundown of the Most Exploited Vulnerabilities of 2023
CERT-EU	a year ago	IT threat evolution in Q2 2023. Non-mobile statistics – GIXtools