IRONSMITHINTEL
CRITICALCVSS9.8
|
Actively Exploited
|CISA KEV|CVE-2023-23397|Auth: none — zero interaction required|Reboot: not required|Est. 15 minutes (Office update, no reboot required)|Manual only

KB5002254: Windows 10, Windows 11 +3 more Security Update (March 2023)

A specially crafted calendar invite forces Outlook to connect to an attacker's SMB server and leak NTLMv2 credentials — no user interaction required. Apply KB5023745 immediately; exploited by APT28 (Russia) since at least April 2022.

Published Mar 14, 2023 · Updated May 29, 2026
XLinkedIn
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker who receives a target's NTLMv2 hash can relay it for lateral movement or crack it offline. For domain accounts, the hash can be used in pass-the-hash attacks, granting access to network shares, Exchange mailboxes, and other systems. No user action is needed — the attack fires when the email arrives.

How the attack worksNo clicks needed

Outlook processes a calendar item's "UNC_PATH" reminder sound property before the item is opened. If this path points to an attacker-controlled server, Windows automatically sends NTLMv2 authentication — leaking the user's credential hash without any clicks. Email preview in the Reading Pane is sufficient to trigger the attack.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

All Windows endpoints running Outlook
Domain-joined workstations and servers
Systems with SMB egress allowed
Running Outlook 2013, 2016, 2019, 2021; Microsoft 365 Apps for Enterprise prior to March 2023 PU

Affected OS versions

Windows 10Windows 11Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inKB5002254, KB5002265 (applies to 11 product versions) — build 15.0.5537.1000, 16.0.5387.1000+
Real-world incidentsWhat we've seen

Microsoft attributed active exploitation to Forest Blizzard (APT28), a Russian GRU-affiliated threat actor. The group used CVE-2023-23397 to target European organisations in the energy, transportation, and government sectors beginning in April 2022, nearly a year before the vulnerability was disclosed. The attack was used for initial access and credential harvesting in multi-stage intrusions.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5002254

Manual remediation steps

15 minutes (Office update, no reboot required)

Apply the Microsoft Security Update

Microsoft has released an official security update that fixes this vulnerability.

Required KB Updates

    1
    KB5002254 — https://support.microsoft.com/help/5002254
    1
    KB5002265 — https://support.microsoft.com/help/5002265

Supersedes: KB5001990, KB5002051

Affected Products

    1
    Microsoft 365 Apps for Enterprise for 32-bit Systems
    1
    Microsoft 365 Apps for Enterprise for 64-bit Systems
    1
    Microsoft Office 2019 for 32-bit editions
    1
    Microsoft Office 2019 for 64-bit editions
    1
    Microsoft Office LTSC 2021 for 32-bit editions
    1
    Microsoft Office LTSC 2021 for 64-bit editions
    1
    Microsoft Outlook 2013 RT Service Pack 1
    1
    Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
    1
    Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
    1
    Microsoft Outlook 2016 (32-bit edition)
    1
    Microsoft Outlook 2016 (64-bit edition)

Fixed Build Numbers

    1
    15.0.5537.1000
    1
    16.0.5387.1000
    1
    https://aka.ms/OfficeSecurityReleases

Installation Methods

Windows Update (recommended)

1
Settings → Windows Update → Check for updates
2
The security update is offered if your system is in scope
3
Restart when prompted (may or may not be required for this update)

Microsoft Update Catalog (manual download)

1
Open https://catalog.update.microsoft.com
2
Search for KB5002254
3
Download the package matching your OS architecture and Windows build
4
Run the .msu installer with administrator privileges
5
Restart when prompted

WSUS / SCCM / Intune

Approve KB5002254 for the affected products in your update management console.

Microsoft Download Center Links

    1
    https://www.microsoft.com/download/details.aspx?familyid=328f72f0-7eea-4e9b-acae-82851622dbe0
    1
    https://www.microsoft.com/download/details.aspx?familyid=65194ac0-3b9d-4345-84b2-c66bd196a91d
    1
    https://www.microsoft.com/download/details.aspx?familyid=daf1d545-d8c8-471f-b392-d60d25e14828
    1
    https://www.microsoft.com/download/details.aspx?familyid=e78aa39d-7d9b-4d01-98e0-f058ff3b2db3

Verification

Confirm the update is installed:

Get-HotFix | Where-Object { $_.HotFixID -in @('KB5002254','KB5002265') }

References

    1
    Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2023-23397
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-23397

Discovery Credit

CERT-UA, Microsoft Incident Response, Microsoft Threat Intelligence

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2023-23397MSRC AdvisoryKBKB5002254
CVEs in this update1 fixes · Patch-to-CVE mapping
Patch IDCVE IDVulnerability Name / TypeCVSSReference
KB5002254CVE-2023-23397Microsoft Outlook (Windows client)9.8NVD ↗

Related vulnerabilities

HIGH7.8

KB5014678: Windows 10, Windows 11 +3 more Security Update (June 2022)

Microsoft Office

CVE-2022-30190

CRITICAL9.8

KB5002265: Microsoft Word 2016 / 365 Security Update — RTF Heap Corruption (February 2023)

Microsoft Word

CVE-2023-21716

CRITICAL9.6

Zoom < 5.16.5 — RCE

Zoom

CVE-2024-24691