CVE-2023-36424 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2023-11-14

Added to CISA KEV: 2026-04-13 881 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized local access, verify system integrity, and audit privileged account activities
Apply Microsoft security updates immediately for all affected Windows systems
Monitor for unusual privilege escalation attempts and suspicious local process execution
Implement enhanced endpoint detection and response (EDR) monitoring for CLFS-related activities
Review and strengthen local access controls and authentication mechanisms
Priority: HIGH for patching due to CISA KEV status, but focus on systems where local access is more likely (workstations, terminal servers, systems with multiple users)

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2023-36424 is a high-severity elevation of privilege vulnerability affecting the Windows Common Log File System (CLFS) driver (`clfs.sys`) ^[1].

Active Exploitation and Threat Actor Usage

Status: The vulnerability is confirmed to be actively exploited in the wild.
KEV Catalog: It is listed in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.
Threat Actors: While specific threat actor names are not always publicly attributed to every instance, reports indicate that ransomware groups and other cybercriminals have utilized this vulnerability in their campaigns.

Attack Method and Requirements

Method: The vulnerability is an Out-of-Bounds (OOB) Read flaw triggered during the parsing of malformed Base Log Files (`.blf`).
Requirements:

* Access: It requires a local, authenticated attacker ^[1]. * Interaction: It is not a remote exploit; the attacker must already have low-privileged access to the target system to initiate the attack ^[1].

Proof-of-Concept (PoC) Availability

Technical analysis and working exploit code have been made publicly available by researchers and on platforms like GitHub.

Impact

Successful exploitation allows a low-privileged local attacker to leak sensitive kernel pointers, bypass Kernel Address Space Layout Randomization (KASLR), and ultimately elevate their privileges to SYSTEM level. This grants the attacker full control over the affected host.

Affected Versions and Patch Status

Affected Products: The vulnerability affects various versions of Microsoft Windows, including Windows 10, Windows 11, and Windows Server editions.
Patch Status: Microsoft released security patches for this vulnerability in November 2023. Organizations are strongly urged to apply these updates immediately to mitigate the risk of compromise.

Sources

CVE-2023-36424: Windows 10 1507 Privilege Escalation Flaw - SentinelOne
CVE-2023-36424 is a privilege escalation vulnerability in Windows Common Log File System Driver. Learn about its impact, affected versions, and mitigation. ... A local, authenticated attacker can exploit the driver to obtain SYSTEM-level privileges on affected Windows desktop and server platforms.

🟢 CVE-2023-36424