CVE-2023-28252

CVE-2023-28252 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-04-11). The underlying weakness is classified as CWE-787.

Key facts

Description

Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVE-2023-28252: Windows Common Log File System Driver Local Privilege Escalation

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2023-28252 is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver (clfs.sys). Classified as CWE-787 (Out-of-bounds Write), the flaw enables a local attacker with low-level access to corrupt memory and escalate privileges to SYSTEM.

Background

The Common Log File System (CLFS) is a kernel-mode driver included in Windows that provides high-performance logging services for applications and subsystems. Because it operates at the kernel level, vulnerabilities in CLFS are particularly dangerous—successful exploitation can grant an attacker the highest level of access on the system. This vulnerability was disclosed in April 2023 and has been actively exploited in the wild.

Root Cause

The vulnerability is rooted in CWE-787: Out-of-bounds Write. The CLFS driver fails to properly validate bounds when handling certain log file structures. A malformed input can trigger a memory corruption condition, allowing an attacker to overwrite adjacent kernel memory. This improper boundary check in a trusted kernel component is what enables the privilege escalation.

Impact

Microsoft assigned a CVSS v3.1 score of 7.8 (HIGH) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The metrics indicate:

  • Attack Vector (AV): Local — the attacker must have local access to the target.
  • Attack Complexity (AC): Low — the attack requires minimal technical sophistication.
  • Privileges Required (PR): Low — the attacker needs only limited user privileges.
  • User Interaction (UI): None — no user action is needed to trigger the exploit.
  • Scope (S): Unchanged — the vulnerable component does not impact resources beyond its security scope.
  • Confidentiality, Integrity, and Availability (C/I/A): All High — a successful attack can fully compromise the system.

In practice, this means an attacker who has already gained a foothold on a Windows endpoint can escalate from a standard user to SYSTEM with minimal effort.

Exploitation Walkthrough

This section is provided for defensive awareness only. The details are generic and do not constitute a working exploit.

The attack typically follows this pattern:

  1. Initial Access: The attacker already has code execution on the target system as a low-privileged user.
  2. Crafting the Trigger: The attacker prepares a malformed CLFS log file or interacts with the CLFS driver through a specific API call sequence designed to reach the vulnerable code path.
  3. Memory Corruption: By providing an out-of-bounds value, the attacker causes the CLFS driver to write past the end of a buffer in kernel space.
  4. Privilege Escalation: The corrupted kernel memory is leveraged to overwrite a token or pointer, ultimately elevating the attacker's process to SYSTEM privileges.

Ethics caveat: The information above is intended solely to help defenders understand the attack surface and build detection logic. Developing, distributing, or using exploit code against systems without explicit authorization is illegal and unethical.

Affected and Patched Versions

According to Microsoft and NVD data, the following products are affected:

  • Windows 10 (versions 1507, 1607, 1809, 20H2, 21H2, 22H2)
  • Windows 11 (versions 21H2, 22H2)
  • Windows Server 2008 (SP2 and R2 SP1)
  • Windows Server 2012 and 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

Specific patched build numbers were not available in the disclosed data; administrators should apply the April 2023 (or later) cumulative security updates from Microsoft to ensure protection.

Remediation

  1. Patching: Apply the latest Windows security updates from Microsoft as soon as possible. This vulnerability was addressed in the April 2023 Patch Tuesday release.
  2. Compensating Controls:
    • Restrict local user access to systems where possible.
    • Enforce the principle of least privilege so users cannot install or execute arbitrary software.
    • Enable Attack Surface Reduction (ASR) rules and Windows Defender Exploit Guard where applicable.
    • Consider implementing Credential Guard to reduce the impact of privilege escalation.

Detection

Defenders can look for the following indicators:

  • Event ID 4656/4663: Unusual access attempts to clfs.sys or log files in system directories by non-privileged processes.
  • ETW Telemetry: Monitor for kernel memory anomalies or unexpected crashes in the CLFS driver.
  • Endpoint Detection and Response (EDR): Alerts for processes attempting to load or manipulate CLFS structures in suspicious patterns.
  • Threat Intelligence: Correlate endpoint activity with known exploitation frameworks that target CLFS vulnerabilities.

Assessment

CVE-2023-28252 carries an EPSS score of 0.48973, placing it in the 98.7th percentile—meaning it is significantly more likely to be exploited than the vast majority of published vulnerabilities. It is also listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, with confirmed exploitation starting on April 11, 2023, and is flagged in the EU Vulnerability Database (EUVD-2023-31960). The fact that it requires only low privileges and no user interaction makes it a reliable target for post-exploitation activity, including ransomware deployment.

Key lessons:

  • Kernel-mode drivers that handle complex file formats remain a high-value target for attackers. Rigorous bounds checking and fuzzing of kernel drivers are essential.
  • The combination of low privilege requirements and no user interaction means this vulnerability can be exploited silently once an attacker has any foothold, underscoring the importance of robust endpoint detection and rapid patching.

References

Frequently asked questions

What is CVE-2023-28252?
Windows Common Log File System Driver Elevation of Privilege Vulnerability
How severe is CVE-2023-28252?
CVE-2023-28252 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2023-28252 being actively exploited?
Yes. CVE-2023-28252 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-04-11, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-28252?
CVE-2023-28252 primarily affects Microsoft Windows 10 1507. In total, 15 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2023-28252?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-28252 have an EU (EUVD) identifier?
Yes. CVE-2023-28252 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-31960. It is also flagged as exploited in the EUVD (since 2023-04-11).
When was CVE-2023-28252 published?
CVE-2023-28252 was published on 2023-04-11 and last updated on 2026-06-17.

References

Affected products (15)

More vulnerabilities in Microsoft Windows 10 1507

All CVEs affecting Microsoft Windows 10 1507 →

Other CWE-787 (Out-of-bounds Write) vulnerabilities

Browse all CWE-787 (Out-of-bounds Write) vulnerabilities →