Home / Threat Intelligence bulletins / Windows 11 ThemeBleed remote code execution vulnerability

Target Industry

Indiscriminate, opportunistic targeting.


Microsoft has disclosed details relating to the following vulnerability for Windows 11_21h2 and Windows 11_22h2:

CVE-2023-38146 (CVSSv3 score: 8.8): Windows Themes Remote Code Execution Vulnerability.

A Proof-of-Concept (PoC) code has been released. This demonstrates how the vulnerability can be exploited.


Successful exploitation of CVE-2023-38146 allows unauthenticated threat actors to run RCEs on the target machine.

Vulnerability Detection

Microsoft has released a security update to patch this vulnerability. This means that Windows 11_21h2 and Windows 11_22h2 are now vulnerable to potential exploitation.

Affected Products

Devices running Windows 11_21h2 and Windows 11_22h2 that do not have Microsoft’s September 2023 security update are now vulnerable.

Containment, Mitigations & Remediations

It is highly recommended that all organisations apply the relevant security patches as soon as possible. More information can be found on the Microsoft Update Guide.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available at this time.

Threat Landscape

Windows is used on many devices all over the world as it is one of the main operating systems organisations use. A notable exploit has been disclosed by Microsoft in relation to Windows 11_21h2 and Windows 11_22h2 and as many devices have not run the latest security update this leaves them open to possible exploitation by threat actors in an attempt to view and exfiltrate sensitive data.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies


TA0002 – Execution

Further Information

Microsoft Update Guide.


An Intelligence Terminology Yardstick to showing the likelihood of events