โ† Back to Cyber Intelligence News
Live Threat Intelligence API โ€” Query this CVE and all KEV alerts in real-time
cyber.mcp.brunosan.de
Cyber Threat Intelligence VULNERABILITY ๐Ÿ”ด 1ร—KEV

CVE-2023-23397 in Microsoft Outlook: Critical Elevation of Privilege Under Persistent Exploitation

๐Ÿ“… March 24, 2026 ๐Ÿ”ด Exploit Risk: 0.574 ๐Ÿ“Š Intelligence Score: 98/100 ๐Ÿ“ฐ 26 sources synthesized
TL;DR โ€” Read this first
Intelligence Metadata
First Reported Bymsrc.microsoft.com
Outbreak Velocity0 minutes spread to 3 unique domains
Consensus26 sources across multiple unique domains
CVSS Score9.8
EPSS Score0.93421 (93.42th percentile)
CISA KEV StatusConfirmed
Exploit Risk Score0.5737
Race LabelPERSISTENT THREAT

Technical Analysis

CVE-2023-23397 is an elevation of privilege vulnerability in the Windows client of Microsoft Outlook. The attack vector is a specially crafted email containing a malicious `PidLidReminderFileParameter` property. This property can specify a Universal Naming Convention (UNC) path to an attacker-controlled SMB server.

When the Outlook client receives and processes this email, it automatically attempts to connect to the specified UNC path to retrieve a sound file for a reminder. This action occurs before the email is even viewed in the preview pane, requiring zero user interaction. The connection attempt leaks the user's Net-NTLMv2 hash to the attacker's server. This hash can then be used in NTLM relay attacks to authenticate to other network services as the victim, or it can be cracked offline to recover the user's plaintext password. The vulnerability effectively bypasses security warnings and user interaction requirements for connecting to external network shares.

Affected Systems

Vendor: Microsoft
Affected Versions:
  • Microsoft Outlook 2013 Service Pack 1 (32-bit and 64-bit editions)
  • Microsoft Outlook 2016 (32-bit and 64-bit editions)
  • Microsoft Office LTSC 2021
  • Microsoft 365 Apps for Enterprise
Exposure: Any system running a vulnerable version of the Microsoft Outlook client that can receive and process external email.
Blast Radius: High. The vulnerability affects a ubiquitous enterprise email client. Successful exploitation provides attackers with user credentials, which can serve as an initial access point or a vector for lateral movement within a corporate network.

Intelligence Context

The combination of a critical CVSS score (9.8), confirmed active exploitation (CISA KEV status), and a very high EPSS score (93.42%) establishes CVE-2023-23397 as a top-tier priority for remediation. The 'PERSISTENT THREAT' label, based on its addition to the KEV catalog in March 2023, indicates that this is not a transient threat but a reliable tool in attacker playbooks. The zero-click nature of the exploit lowers the barrier for successful attacks significantly. For defenders, this means patching is not sufficient; proactive threat hunting for signs of historical compromise is necessary, as credentials may have been stolen long before patches were applied.

Remediation & Defense

Patch immediately. Prioritize all internet-facing and internal Outlook clients. After patching, execute the Microsoft audit script to hunt for historical compromise.
Patch Status: Available
Patch Version: Patches were released in the March 14, 2023 Security Update. Refer to the MSRC guide for CVE-2023-23397 for specific KB articles.
Workarounds:
  • Block all outbound TCP 445/SMB traffic from client devices to prevent the NTLM hash from leaving the network.
  • Add high-value accounts to the 'Protected Users' security group in Active Directory, which restricts the use of NTLM authentication.
Detection Hints:
  • Monitor for outbound SMB connections (TCP/445) originating from the `outlook.exe` process to external or non-corporate IP addresses.
  • Utilize the Microsoft-provided PowerShell script (`CVE-2023-23397.ps1`) to scan Exchange mailboxes for items containing the malicious `PidLidReminderFileParameter` property.

Source Timeline

CVE-2023-23397 microsoft outlook vulnerability kev elevation-of-privilege ntlm-relay zero-click