Satnam Narang, Sr. Staff Research Engineer, Tenable
“Within 24 hours of its release, researchers at MDSec have already developed a functional proof-of-concept exploit for CVE-2023-23397, emphasising how easy it is to exploit. In its example, they were able to trigger the vulnerability through an Outlook appointment reminder that appeared on-screen after the specially crafted message was received by the email server and downloaded by the Outlook client. It required no user interaction, making this a zero-click vulnerability. Additionally, Microsoft confirmed that the flaw had been exploited as a zero day as part of limited attacks against government, transportation, energy, and military targets organisations in Europe by a Russia-based threat actor.
‘Based on the simplicity by which this vulnerability can be exploited, we believe it’s only a matter of time before it is adopted into the playbooks of other threat actors, including ransomware groups and their affiliates. We anticipate CVE-2023-23397 to become one of the top vulnerabilities of 2023.
‘As we’ve highlighted in our recent 2022 Threat Landscape Report, known vulnerabilities pose the greatest risk to organisations today. Now that CVE-2023-23397 has transitioned from a zero day to a known vulnerability, we strongly encourage all organisations that utilise Microsoft Outlook to prioritise patching this flaw sooner rather than later.”