Microsoft Issues Patch for Severe Vulnerability CVE-2023-23397 Targeting Government, Energy, and Transport Sectors

In early September 2021, Microsoft released a security update that addressed a critical vulnerability in its Outlook email client. The vulnerability, marked as CVE-2021-38647, impacted all versions of Microsoft Outlook and allowed threat actors to steal sensitive information from the organization’s email servers. This vulnerability was so serious that security analysts called for immediate action to be taken by Microsoft and its users. It is essential for everyone to understand the impact of this vulnerability and to take necessary action to prevent potential attacks.

Background information on the Outlook vulnerability

The vulnerability discovered by security researchers from Cisco Talos was rated with a CVSS score of 8.8 out of 10, marking it as a critical vulnerability. Microsoft later determined that the activities resulted from Russian-based actors and that they were being used in targeted attacks against a limited number of organizations. The vulnerability, marked as CVE-2021-38647, was an extension of the original vulnerability discovered in 2020, a different vulnerability known as “CVE-2023-23397,” which affects all Microsoft Outlook products that run on the Windows operating system.

Details of the vulnerability affecting all Microsoft Outlook products

The vulnerability CVE-2023-23397 affects all Microsoft Outlook products that run on the Windows operating system. It is a cushion bypass vulnerability in NTLM that could be exploited for the purpose of credential theft to gain affluent access to an organization through an escalation of privilege vulnerability. An attacker can gain access to an Outlook server through an email, calendar invites, or tasks that utilize the extended MAPI property ‘PidLidReminderFileParameter.’ The property in question was intended for reminder purposes, but if exploited, would allow the attacker to execute arbitrary code on a vulnerable system.

During this period, threat actors targeted and breached the networks of approximately 15 critical organizations related to the government, energy, and transportation sectors. These organizations probably had a high concentration of sensitive information stored in their email systems, making them easy targets for the threat actors.

Threat actors can exploit the vulnerability by creating emails, calendar invites, or tasks that contain the extended MAPI property ‘PidLidReminderFileParameter.’ If an unsuspecting user opens the email, the code within the attachment may execute, leading to credential theft and privilege escalation, as the attacker gains access to the targeted email system.

This vulnerability could result in both credential theft and escalation of privilege vulnerability. If exploited, an attacker could gain high-level access to the targeted organization’s email systems. Potential attackers could then access sensitive data, which could be catastrophic for the organization. They could use the data for ransom purposes, or leverage it for competitive advantage.

The extended MAPI property ‘PidLidReminderFileParameter’ can be used by threat actors to create emails, calendar invites, or tasks that contain an attached file. This file contains a file path that Outlook replicates seamlessly, like an internal network file share or an SMB server Microsoft Windows server. This creates an opportunity for attackers to access passwords and other credential data that have been inadvertently duplicated and saved to the organization’s email systems.

An attacker may be able to exploit a vulnerable system’s Net-NTLMv2 hash by performing an NTLM relay attack on another system. This means that the attacker could gain access to other devices on the organization’s network.

The importance of installing the patch provided by Microsoft

Regarding CVE-2021-38647, Microsoft has already released a security update that fixes the vulnerability. Installing the patch as soon as possible would be an ideal move to address the vulnerability. It is also worth noting that if the fix has already been applied, it can be checked for effectiveness using available evaluation tools. While fixing the vulnerability would solve the immediate concern, more needs to be done to ensure that the organization does not fall prey to similar attacks in the future.

The significance of blocking outbound port TCP/445 from the network to prevent NTLM messages from leaving is that it is not enough to simply install the patch and assume that the vulnerability and similar ones have been addressed permanently. Blocking port TCP/445 outbound from the network is crucial in preventing the NTLM messages from leaving the network. Hackers cannot perpetrate an attack if messages are not leaving the organization’s network. Blocking this TCP port can thwart other potential attacks in which the organization’s internal networks are leveraged to carry out other malicious activities.

In conclusion, it is strongly advised by security analysts that admins apply and check all recommended mitigations immediately to prevent any attacks effectively. These include installing the relevant patch provided by Microsoft, blocking port TCP/445 outbound from the network to prevent NTLM messages from leaving, and educating users on best practices to avoid email-based attacks in the first place. Failure to take necessary action could have disastrous implications for the organization, and waiting for an attack to occur before taking the required measures is not worth it. Being proactive on this front is the only way to prevent potential harm to the organization.

Explore more

AI Revolutionizes Dentistry with Prevention and Efficiency

Introduction Imagine a world where a simple smartphone photo can detect early signs of gum disease before any pain sets in, potentially saving millions from costly dental procedures, and this is no longer a distant dream but a reality being shaped by artificial intelligence (AI) in dentistry. Oral health, often overlooked in broader healthcare discussions, affects billions globally, with untreated

Why Do Tech Job Seekers Face Silence After Final Interviews?

I’m thrilled to sit down with Ling-Yi Tsai, a seasoned HRTech expert with decades of experience helping organizations navigate change through innovative technology. With her deep knowledge of HR analytics tools and expertise in integrating tech solutions into recruitment, onboarding, and talent management, Ling-Yi offers a unique perspective on the evolving landscape of hiring in the tech industry. In this

Trend Analysis: Ukrainian Fintech Innovation Boom

In a remarkable turn of events, Fintech-IT Group, a Kyiv-based powerhouse, has achieved a staggering $1 billion valuation with a major investment from the Ukraine-Moldova American Enterprise Fund (UMAEF), thrusting Ukraine into the spotlight of the global fintech arena and highlighting its unyielding drive for innovation. This milestone, celebrated in 2025, underscores a nation’s determination to push technological boundaries despite

Trend Analysis: Mobile-Friendly Email Strategies

Imagine a world where over half of all digital interactions happen on a device that fits in the palm of a hand, and according to Statista, mobile devices accounted for 62.54 percent of global website traffic in the last quarter of 2024. This staggering figure underscores the shift in how consumers engage with content, making mobile-friendly strategies not just an

Why Is Agentic AI Struggling in Customer Service Automation?

Setting the Stage: The Automation Revolution in Customer Service Imagine a world where customer inquiries are resolved instantly by autonomous AI agents, slashing operational costs and boosting satisfaction rates. This vision has fueled a surge in agentic AI adoption within the customer service sector, promising a transformative shift in how enterprises handle support. Yet, despite the hype, a staggering number