Microsoft’s April 2023 Patch Tuesday Addresses 97 CVEs (CVE-2023-28252)

Microsoft’s April 2023 Patch Tuesday Addresses 97 CVEs (CVE-2023-28252)

Microsoft addresses 97 CVEs, including one that was exploited in the wild as a zero day


Microsoft patched 97 CVEs in its April 2023 Patch Tuesday Release, with seven rated as critical and 90 rated as important.

This month’s update includes patches for:

.NET Core
Azure Machine Learning
Azure Service Connector
Microsoft Bluetooth Driver
Microsoft Defender for Endpoint
Microsoft Dynamics
Microsoft Dynamics 365 Customer Voice
Microsoft Edge (Chromium-based)
Microsoft Graphics Component
Microsoft Message Queuing
Microsoft Office
Microsoft Office Publisher
Microsoft Office SharePoint
Microsoft Office Word
Microsoft PostScript Printer Driver
Microsoft Printer Drivers
Microsoft WDAC OLE DB provider for SQL
Microsoft Windows DNS
Visual Studio
Visual Studio Code
Windows Active Directory
Windows ALPC
Windows Ancillary Function Driver for WinSock
Windows Boot Manager
Windows Clip Service
Windows CNG Key Isolation Service
Windows Common Log File System Driver
Windows DHCP Server
Windows Enroll Engine
Windows Error Reporting
Windows Group Policy
Windows Internet Key Exchange (IKE) Protocol
Windows Kerberos
Windows Kernel
Windows Layer 2 Tunneling Protocol
Windows Lock Screen
Windows Netlogon
Windows Network Address Translation (NAT)
Windows Network File System
Windows Network Load Balancing
Windows NTLM
Windows PGM
Windows Point-to-Point Protocol over Ethernet (PPPoE)
Windows Point-to-Point Tunneling Protocol
Windows Raw Image Extension
Windows RDP Client
Windows Registry
Windows RPC API
Windows Secure Boot
Windows Secure Channel
Windows Secure Socket Tunneling Protocol (SSTP)
Windows Transport Security Layer (TLS)
Windows Win32K

Remote code execution (RCE) vulnerabilities accounted for 46.4% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 20.6%.


CVE-2023-28252 | Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVE-2023-28252 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver, a logging service used by kernel-mode and user-mode applications. It was assigned a CVSSv3 score of 7.8. This vulnerability is a post-compromise flaw, meaning an attacker could exploit it after gaining access to a vulnerable target. Successful exploitation would elevate an attacker’s privileges SYSTEM. According to Microsoft, it was exploited in the wild as a zero day. Its discovery is attributed to Genwei Wang of Mandiant and Quan Jin withDBAPPSecurity WeBin Lab.

CVE-2023-28252 is the second CLFS Driver EoP vulnerability to be exploited in the wild in 2023, as CVE-2023-23376 was disclosed in the February 2023 Patch Tuesday. It is the fourth known CLFS EoP vulnerability to be exploited in the wild in the last two years, following CVE-2022-24521 from the April 2022 Patch Tuesday and CVE-2022-37969 from the September 2022 Patch Tuesday release. CVE-2022-37969 was also disclosed to Microsoft by Wang and Jin, though it is unclear if there is any connection between both flaws.


CVE-2023-21554 | Microsoft Message Queuing Remote Code Execution Vulnerability

CVE-2023-21554 is a RCE vulnerability affecting Microsoft Message Queuing (MSMQ) with a CVSSv3 score of 9.8. An attacker could exploit this flaw by sending a specially crafted MSMQ packet to an affected MSMQ server. Microsoft’s advisory notes that exploitation of this flaw requires the Windows message queuing service to be enabled. When enabled, TCP port 1801 will be listening on the host.

In addition to this RCE flaw, two denial of service CVEs (CVE-2023-21769 and CVE-2023-28302) rated as “important” were also patched in MSMQ this month.


CVE-2023-28250 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

CVE-2023-28250 is a RCE vulnerability affecting Windows Pragmatic General Multicast (PGM). Successful exploitation requires the MSMQ service to be enabled. An attacker could exploit this flaw by sending a crafted file over the network in order to execute arbitrary code. This vulnerability has a CVSSv3 score of 9.8 and impacts supported versions of Windows including Server Core installations.


CVE-2023-28231 | DHCP Server Service Remote Code Execution Vulnerability

CVE-2023-28231 is a RCE vulnerability affecting the Dynamic Host Configuration Protocol (DHCP) server service. Microsoft rates this vulnerability as “Exploitation More Likely” according to the Microsoft Exploitability Index. With a CVSSv3 score of 8.8, successful exploitation requires an attacker to be on an adjacent network prior to using a crafted RPC call to exploit the flaw.

Microsoft Exchange Server 2013 End Of Life

Microsoft announced that Exchange Server 2013 has reached its end of life. This version of Exchange Server will no longer receive security updates and should be upgraded as soon as possible. Microsoft released guidance to assist customers with decommissioning Exchange Server 2013. As we noted in our 2022 Threat Landscape Report, Microsoft Exchange was a major target in 2022, with at least 10 ransomware groups targeting vulnerabilities affecting the popular mail server. In fact, the ProxyShell chain of vulnerabilities affecting Microsoft Exchange were highlighted in our top five vulnerabilities of the year.

To assist organizations in identifying unsupported versions of Microsoft Exchange Server, the following plugins are available:

Plugin ID 22313: Microsoft Exchange Server Unsupported Version Detection
Plugin ID 10880: Microsoft Exchange Server Unsupported Version Detection (Uncredentialed)

Tenable Solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains April 2023.

With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from

A list of all the plugins released for Tenable’s April 2023 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

Microsoft’s April 2023 Security Updates
Tenable plugins for Microsoft April 2023 Patch Tuesday Security Updates

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

   Cyber Exposure Alerts 


More To Explore

We can help improve your Business

Ensure your Organization Assets are well  protected in front of the Cyber Attacks

Delivery Workflow

Register for Free and get your test done withn 24 to 48 hours

See Workflow

Sample Report

Here is a sample report of a Security Testing Engagement

See Sample Report PDF

Work Request

Order your security test and Get Your Report

Get Your Test Report
Generated by Feedzy

1. Client Onboarding

Access to all of Cyber Legion's services is provided through the Web Secure Client Portal. To create a Free account, you can sign up through the portal, or contact the Cyber Legion team and they will set up an account for you.

2. NDA , Agreements & Digital Signature

The integration of Digital Signature in our Web Client Portal allows us to legally sign all necessary documents and agreements, enabling us to carry out security assessments on targeted systems.

3. Submit Work Request

Our pricing structure is adaptable to meet the needs of all clients. By filling out the Work Request Form, you can select from pre-existing services or request a personalized proposal.

The Cyber Legion team will acknowledge your order, set up a project in your account, and proceed with the testing and delivery.

4. Security Testing & Report

We meet agreed upon SLAs and follow security testing framework checklists. Based on our commitment, our team of engineers will utilize all of our tools, automation, and testing capabilities to achieve the objectives.

Within the agreed upon timeframe, you will receive a report on the security test that was conducted, including the results, recommendations, and references for addressing any identified issues.

5. Retesting & Validation of Remediation

We not only identify potential threats, risks, and vulnerabilities, but also provide detailed recommendations for resolution. To ensure complete remediation, we offer complimentary retesting and a range of ongoing security testing options for continued vulnerability detection and verification.