IRONSMITHINTEL
CRITICALCVSS9.8
|
Actively Exploited
|CISA KEV|CVE-2023-23397|Auth: none — zero interaction required|Reboot: not required|Est. 15 minutes (Office update, no reboot required)|Manual only

KB5023745: Microsoft Outlook 2016 / 2019 / 365 Security Update (March 2023)

A specially crafted calendar invite forces Outlook to connect to an attacker's SMB server and leak NTLMv2 credentials — no user interaction required. Apply KB5023745 immediately; exploited by APT28 (Russia) since at least April 2022.

Published Mar 14, 2023 · Updated May 10, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker who receives a target's NTLMv2 hash can relay it for lateral movement or crack it offline. For domain accounts, the hash can be used in pass-the-hash attacks, granting access to network shares, Exchange mailboxes, and other systems. No user action is needed — the attack fires when the email arrives.

How the attack worksNo clicks needed

Outlook processes a calendar item's "UNC_PATH" reminder sound property before the item is opened. If this path points to an attacker-controlled server, Windows automatically sends NTLMv2 authentication — leaking the user's credential hash without any clicks. Email preview in the Reading Pane is sufficient to trigger the attack.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

All Windows users with Outlook
IT Security
SOC Analysts
Running Outlook 2013, 2016, 2019, 2021; Microsoft 365 Apps for Enterprise prior to March 2023 PU

Affected OS versions

Windows 10Windows 11Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inKB5023745 (March 2023 Security Update)
Real-world incidentsWhat we've seen

Microsoft attributed active exploitation to Forest Blizzard (APT28), a Russian GRU-affiliated threat actor. The group used CVE-2023-23397 to target European organisations in the energy, transportation, and government sectors beginning in April 2022, nearly a year before the vulnerability was disclosed. The attack was used for initial access and credential harvesting in multi-stage intrusions.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5023745

Manual remediation steps

15 minutes (Office update, no reboot required)

Check if Outlook is Patched

# For Click-to-Run (Microsoft 365 Apps)
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" | Select UpdateChannel, VersionToReport
# Must be >= 16.0.16130.20306 (Current Channel)

# For MSI installations, check Add/Remove Programs or:
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\AddinsConfig" 2>$null

Immediate Workaround (if patching delayed)

# Block outbound SMB at the firewall (TCP 445, UDP 137-138, TCP 139)
# This prevents NTLM relay but may impact legitimate SMB traffic
New-NetFirewallRule -DisplayName "Block Outbound SMB" -Direction Outbound `
  -Protocol TCP -RemotePort 445 -Action Block

Apply the Update

    1
    Click-to-Run (M365 Apps): Run Office update from File > Account > Update Options > Update Now
    1
    MSI installations: Apply KB5023745 from Windows Update or Microsoft Update Catalog

Verify (Check Outlook version after update)

    1
    Open Outlook > File > Office Account > About Outlook
    1
    Must show version 16.0.16130.20306 or later
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2023-23397MSRC AdvisoryNVDKBKB5023745
CVEs in this update1 fixes · Patch-to-CVE mapping
Patch IDCVE IDVulnerability Name / TypeCVSSReference
KB5023745CVE-2023-23397Microsoft Outlook (Windows client)9.8NVD ↗