Home / Threat Intelligence bulletins / Patch Tuesday - May 2023

Target Industry

Indiscriminate, opportunistic targeting.


Microsoft Patch Tuesday for May 2023: Three zero-day vulnerabilities including six critical vulnerabilities are part of 38 security flaws addressed by Microsoft.

The Zero-Day flaws, tracked as the following:

CVE-2023-29336 (CVSSv3 Score: 7.8) is a Win32k Elevation of Privilege (EoP) vulnerability that allows privilege escalation to SYSTEM. This vulnerability has been actively exploited but it is unclear how.
CVE-2023-24932 (CVSSv3 Score 6.7) is a Secure Boot Security Feature Bypass vulnerability that has been exploited previously to install bootkits by threat actors.
CVE 2023 29325 (CVSSv3 Score 6.7) is a Windows OLE remote code execution vulnerability with a race condition required to exploit.

The critical vulnerabilities have been classified as the following:

CVE-2023-24955 (CVSSv3 Score: 7.2) Microsoft SharePoint Server remote code execution vulnerability.
CVE-2023-28283 (CVSSv3 Score: 8.1) Windows Lightweight Directory Access Protocol (LDAP) remote code execution vulnerability.
CVE-2023-24941 (CVSSv3 Score: 9.8) Windows Network File System remote code execution vulnerability.
CVE-2023-24943 (CVSSv3 Score: 9.8) Windows Pragmatic General Multicast (PGM) remote code execution vulnerability.
CVE-2023-24903 (CVSSv3 Score: 8.1) Windows Secure Socket Tunneling Protocol (SSTP) remote code execution vulnerability.

There is an additional Win32k privilege escalation vulnerability patched tracked as CVE-2023-24902 (CVSSv3 Score: 7.8)

A complete list of the disclosed security vulnerabilities can be found at the Microsoft Advisory.


  • Successful exploitation of CVE-2023-24902 and CVE-2023-29336 allows a threat actor to obtain SYSTEM level privileges.
  • Successful exploitation of CVE-2023-24932 allows a threat actor to install malware in the system firmware.
  • Successful exploitation of CVE 2023 29325 allows a threat actor to execute code remotely using a specially crafted email.
  • Successful exploitation of CVE-2023-24955 results in a remote code execution within the Microsoft SharePoint software.
  • Successful exploitation of CVE-2023-28283 will leverage specially crafted LDAP calls.

Vulnerability Detection

Security patches for the vulnerabilities reported on have been released by Microsoft. Previous versions therefore remain vulnerable to potential exploitation.

Affected Products

A full list of the affected products pertaining to the May 2023 Patch Tuesday can be found on the Microsoft Update page.

Containment, Mitigations & Remediations

It is strongly recommended that the relevant security patches are applied to the respective Microsoft products. The patches can be found directly at the Microsoft Patch Tuesday May 2023 Security Guide.

Threat Landscape

Last month, Microsoft published remediations for 98 security flaws in the April 2023 Patch Tuesday release, including one actively exploited zero-day vulnerabilities. Moving into the May disclosure, remote code execution and privilege escalation are the flavour of the month. However, 38 security patches are significantly less than the previous months.

Threat Group

A threat actor has been reported to have exploited CVE-2023-24932 to deploy BlackLotus UEFI bootkit. Firmware malware is difficult to detect given the nature of the malware. BlackLotus initiates before the operating system fully loads, which makes it difficult for security solutions relying on the operating system to detect the malware during its start-up phase.

Mitre Methodologies


TA0002 – Execution
TA0004 – Privilege Escalation
TA0008 – Lateral Movement
TA0040 – Impact

Lateral Movement Technique:

T1210 – Exploitation of Remote Services

Further Information

Microsoft Advisory

Intelligence Terminology Yardstick