CVE-2023-28252
CVE-2023-28252 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-04-11). The underlying weakness is classified as CWE-787.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- EPSS exploit prediction: 49% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-04-11)
- EU (EUVD) id: EUVD-2023-31960
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-04-11)
- Weakness: CWE-787
- Affected product: Microsoft Windows 10 1507
- Published:
- Last modified:
Description
Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2023-28252: Windows Common Log File System Driver Local Privilege Escalation
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2023-28252 is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver (clfs.sys). Classified as CWE-787 (Out-of-bounds Write), the flaw enables a local attacker with low-level access to corrupt memory and escalate privileges to SYSTEM.
Background
The Common Log File System (CLFS) is a kernel-mode driver included in Windows that provides high-performance logging services for applications and subsystems. Because it operates at the kernel level, vulnerabilities in CLFS are particularly dangerous—successful exploitation can grant an attacker the highest level of access on the system. This vulnerability was disclosed in April 2023 and has been actively exploited in the wild.
Root Cause
The vulnerability is rooted in CWE-787: Out-of-bounds Write. The CLFS driver fails to properly validate bounds when handling certain log file structures. A malformed input can trigger a memory corruption condition, allowing an attacker to overwrite adjacent kernel memory. This improper boundary check in a trusted kernel component is what enables the privilege escalation.
Impact
Microsoft assigned a CVSS v3.1 score of 7.8 (HIGH) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The metrics indicate:
- Attack Vector (AV): Local — the attacker must have local access to the target.
- Attack Complexity (AC): Low — the attack requires minimal technical sophistication.
- Privileges Required (PR): Low — the attacker needs only limited user privileges.
- User Interaction (UI): None — no user action is needed to trigger the exploit.
- Scope (S): Unchanged — the vulnerable component does not impact resources beyond its security scope.
- Confidentiality, Integrity, and Availability (C/I/A): All High — a successful attack can fully compromise the system.
In practice, this means an attacker who has already gained a foothold on a Windows endpoint can escalate from a standard user to SYSTEM with minimal effort.
Exploitation Walkthrough
This section is provided for defensive awareness only. The details are generic and do not constitute a working exploit.
The attack typically follows this pattern:
- Initial Access: The attacker already has code execution on the target system as a low-privileged user.
- Crafting the Trigger: The attacker prepares a malformed CLFS log file or interacts with the CLFS driver through a specific API call sequence designed to reach the vulnerable code path.
- Memory Corruption: By providing an out-of-bounds value, the attacker causes the CLFS driver to write past the end of a buffer in kernel space.
- Privilege Escalation: The corrupted kernel memory is leveraged to overwrite a token or pointer, ultimately elevating the attacker's process to SYSTEM privileges.
Ethics caveat: The information above is intended solely to help defenders understand the attack surface and build detection logic. Developing, distributing, or using exploit code against systems without explicit authorization is illegal and unethical.
Affected and Patched Versions
According to Microsoft and NVD data, the following products are affected:
- Windows 10 (versions 1507, 1607, 1809, 20H2, 21H2, 22H2)
- Windows 11 (versions 21H2, 22H2)
- Windows Server 2008 (SP2 and R2 SP1)
- Windows Server 2012 and 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Specific patched build numbers were not available in the disclosed data; administrators should apply the April 2023 (or later) cumulative security updates from Microsoft to ensure protection.
Remediation
- Patching: Apply the latest Windows security updates from Microsoft as soon as possible. This vulnerability was addressed in the April 2023 Patch Tuesday release.
- Compensating Controls:
- Restrict local user access to systems where possible.
- Enforce the principle of least privilege so users cannot install or execute arbitrary software.
- Enable Attack Surface Reduction (ASR) rules and Windows Defender Exploit Guard where applicable.
- Consider implementing Credential Guard to reduce the impact of privilege escalation.
Detection
Defenders can look for the following indicators:
- Event ID 4656/4663: Unusual access attempts to
clfs.sysor log files in system directories by non-privileged processes. - ETW Telemetry: Monitor for kernel memory anomalies or unexpected crashes in the CLFS driver.
- Endpoint Detection and Response (EDR): Alerts for processes attempting to load or manipulate CLFS structures in suspicious patterns.
- Threat Intelligence: Correlate endpoint activity with known exploitation frameworks that target CLFS vulnerabilities.
Assessment
CVE-2023-28252 carries an EPSS score of 0.48973, placing it in the 98.7th percentile—meaning it is significantly more likely to be exploited than the vast majority of published vulnerabilities. It is also listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, with confirmed exploitation starting on April 11, 2023, and is flagged in the EU Vulnerability Database (EUVD-2023-31960). The fact that it requires only low privileges and no user interaction makes it a reliable target for post-exploitation activity, including ransomware deployment.
Key lessons:
- Kernel-mode drivers that handle complex file formats remain a high-value target for attackers. Rigorous bounds checking and fuzzing of kernel drivers are essential.
- The combination of low privilege requirements and no user interaction means this vulnerability can be exploited silently once an attacker has any foothold, underscoring the importance of robust endpoint detection and rapid patching.
References
Frequently asked questions
- What is CVE-2023-28252?
- Windows Common Log File System Driver Elevation of Privilege Vulnerability
- How severe is CVE-2023-28252?
- CVE-2023-28252 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-28252 being actively exploited?
- Yes. CVE-2023-28252 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-04-11, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-28252?
- CVE-2023-28252 primarily affects Microsoft Windows 10 1507. In total, 15 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-28252?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-28252 have an EU (EUVD) identifier?
- Yes. CVE-2023-28252 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-31960. It is also flagged as exploited in the EUVD (since 2023-04-11).
- When was CVE-2023-28252 published?
- CVE-2023-28252 was published on 2023-04-11 and last updated on 2026-06-17.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252
- http://packetstormsecurity.com/files/174668/Windows-Common-Log-File-System-Driver-clfs.sys-Privilege-Escalation.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28252
Affected products (15)
- cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_20h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 10 1507
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
- CVE-2025-47981 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over…
- CVE-2025-21307 — Critical (CVSS 9.8): Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
- CVE-2025-21298 — Critical (CVSS 9.8): Windows OLE Remote Code Execution Vulnerability
- CVE-2024-49112 — Critical (CVSS 9.8): Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
- CVE-2024-43491 — Critical (CVSS 9.8): Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities…
All CVEs affecting Microsoft Windows 10 1507 →
Other CWE-787 (Out-of-bounds Write) vulnerabilities
- CVE-2026-42369 — Critical (CVSS 10.0): GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other…
- CVE-2026-4746 — Critical (CVSS 10.0): Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is…
- CVE-2025-43300 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS…
- CVE-2025-24201 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in…
- CVE-2024-42479 — Critical (CVSS 10.0): llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause…
- CVE-2024-39791 — Critical (CVSS 10.0): Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge…