Microsoft Issues Patch for Severe Vulnerability CVE-2023-23397 Targeting Government, Energy, and Transport Sectors

In early September 2021, Microsoft released a security update that addressed a critical vulnerability in its Outlook email client. The vulnerability, marked as CVE-2021-38647, impacted all versions of Microsoft Outlook and allowed threat actors to steal sensitive information from the organization’s email servers. This vulnerability was so serious that security analysts called for immediate action to be taken by Microsoft and its users. It is essential for everyone to understand the impact of this vulnerability and to take necessary action to prevent potential attacks.

Background information on the Outlook vulnerability

The vulnerability discovered by security researchers from Cisco Talos was rated with a CVSS score of 8.8 out of 10, marking it as a critical vulnerability. Microsoft later determined that the activities resulted from Russian-based actors and that they were being used in targeted attacks against a limited number of organizations. The vulnerability, marked as CVE-2021-38647, was an extension of the original vulnerability discovered in 2020, a different vulnerability known as “CVE-2023-23397,” which affects all Microsoft Outlook products that run on the Windows operating system.

Details of the vulnerability affecting all Microsoft Outlook products

The vulnerability CVE-2023-23397 affects all Microsoft Outlook products that run on the Windows operating system. It is a cushion bypass vulnerability in NTLM that could be exploited for the purpose of credential theft to gain affluent access to an organization through an escalation of privilege vulnerability. An attacker can gain access to an Outlook server through an email, calendar invites, or tasks that utilize the extended MAPI property ‘PidLidReminderFileParameter.’ The property in question was intended for reminder purposes, but if exploited, would allow the attacker to execute arbitrary code on a vulnerable system.

During this period, threat actors targeted and breached the networks of approximately 15 critical organizations related to the government, energy, and transportation sectors. These organizations probably had a high concentration of sensitive information stored in their email systems, making them easy targets for the threat actors.

Threat actors can exploit the vulnerability by creating emails, calendar invites, or tasks that contain the extended MAPI property ‘PidLidReminderFileParameter.’ If an unsuspecting user opens the email, the code within the attachment may execute, leading to credential theft and privilege escalation, as the attacker gains access to the targeted email system.

This vulnerability could result in both credential theft and escalation of privilege vulnerability. If exploited, an attacker could gain high-level access to the targeted organization’s email systems. Potential attackers could then access sensitive data, which could be catastrophic for the organization. They could use the data for ransom purposes, or leverage it for competitive advantage.

The extended MAPI property ‘PidLidReminderFileParameter’ can be used by threat actors to create emails, calendar invites, or tasks that contain an attached file. This file contains a file path that Outlook replicates seamlessly, like an internal network file share or an SMB server Microsoft Windows server. This creates an opportunity for attackers to access passwords and other credential data that have been inadvertently duplicated and saved to the organization’s email systems.

An attacker may be able to exploit a vulnerable system’s Net-NTLMv2 hash by performing an NTLM relay attack on another system. This means that the attacker could gain access to other devices on the organization’s network.

The importance of installing the patch provided by Microsoft

Regarding CVE-2021-38647, Microsoft has already released a security update that fixes the vulnerability. Installing the patch as soon as possible would be an ideal move to address the vulnerability. It is also worth noting that if the fix has already been applied, it can be checked for effectiveness using available evaluation tools. While fixing the vulnerability would solve the immediate concern, more needs to be done to ensure that the organization does not fall prey to similar attacks in the future.

The significance of blocking outbound port TCP/445 from the network to prevent NTLM messages from leaving is that it is not enough to simply install the patch and assume that the vulnerability and similar ones have been addressed permanently. Blocking port TCP/445 outbound from the network is crucial in preventing the NTLM messages from leaving the network. Hackers cannot perpetrate an attack if messages are not leaving the organization’s network. Blocking this TCP port can thwart other potential attacks in which the organization’s internal networks are leveraged to carry out other malicious activities.

In conclusion, it is strongly advised by security analysts that admins apply and check all recommended mitigations immediately to prevent any attacks effectively. These include installing the relevant patch provided by Microsoft, blocking port TCP/445 outbound from the network to prevent NTLM messages from leaving, and educating users on best practices to avoid email-based attacks in the first place. Failure to take necessary action could have disastrous implications for the organization, and waiting for an attack to occur before taking the required measures is not worth it. Being proactive on this front is the only way to prevent potential harm to the organization.

Explore more

How Are A2A Payments Reshaping Global E-Commerce?

The traditional dominance of plastic-reliant credit card networks is finally crumbling as a more direct and cost-effective method of moving money begins to dominate the world of global digital commerce. For decades, the invisible architecture of the internet was built upon the foundations of the 1950s, using credit cards as a primary bridge between consumers and vendors. This system worked,

Aptar Unveils Durable Packaging Solutions for E-Commerce

The sticky residue of a leaked shampoo bottle pooling at the bottom of a cardboard box has become a familiar, albeit infuriating, ritual for many online shoppers today. This common consumer disappointment often marks the end of brand loyalty, as the unboxing experience—once a moment of high anticipation—transforms into a messy cleanup operation. For beauty and home care brands, ensuring

Intuit Enterprise Suite Delivers AI-Native ERP for Growth

The chasm between a mid-market company’s ambitious expansion goals and its actual operational capacity has historically been widened by fragmented software architectures that fail to communicate. While entry-level accounting tools serve their purpose during the early stages of a startup, they often become a liability as complexity increases, leaving finance teams to bridge the gaps with manual spreadsheets and guesswork.

Is macOS 27 Golden Gate More Than Just Apple Intelligence?

The launch of the macOS 27 Golden Gate public beta marks a significant evolution in Apple’s long-standing effort to reconcile high-level automation with the granular control required by power users. While the promotional narrative surrounding this release is dominated by the sophisticated capabilities of Apple Intelligence and a revamped Siri, the update offers far more than just a layer of

OpenAI Shifts to Outcome-First Prompting for GPT-5.6 Sol

The transition from instructional prompt engineering to a goal-oriented framework represents a seismic shift in how human operators interact with large language models during the current technological cycle. For years, the industry relied on meticulously crafted chain-of-thought instructions to ensure accuracy, but the arrival of GPT-5.6 Sol marks the end of this labor-intensive era. This new architecture prioritizes the final