IRONSMITHINTEL
CRITICALCVSS9.8
|
Actively Exploited
|CISA KEV|CVE-2023-23397|Auth: none — zero-click|Reboot: required|Est. 30–60 minutes including reboot|Manual only

KB5023706: Windows Server 2019 / 2022 Cumulative Update (March 2023)

The March 2023 Patch Tuesday addresses 80 CVEs including CVE-2023-23397, an Outlook privilege escalation that was actively exploited against European organisations before Microsoft patched it. Apply immediately.

Published Mar 14, 2023 · Updated May 10, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker sends a malicious calendar invite to a target. When Outlook processes the reminder, it automatically authenticates to an attacker-controlled server using the victim's NTLM hash. The attacker captures the hash and relays it to authenticate as the victim on other internal systems — no user interaction required beyond receiving the email.

How the attack worksNo clicks needed

CVE-2023-23397 allows a remote attacker to steal NTLM credentials by sending a specially crafted email. The victim does not need to open the email — receiving it in Outlook triggers the vulnerability automatically when the reminder fires. The March 2023 cumulative update patches this along with 79 other vulnerabilities.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

All Windows Server 2019 and 2022 systems
Exchange servers
Workstations running Outlook
Running Windows Server 2019 prior to KB5023702 / Windows Server 2022 prior to KB5023706

Affected OS versions

Windows Server 2019Windows Server 2022
Fixed inKB5023706 (2022) / KB5023702 (2019)
Real-world incidentsWhat we've seen

Russian APT group APT28 (Fancy Bear) exploited CVE-2023-23397 against military, government, and critical infrastructure organisations in Europe for almost a year before Microsoft patched it in March 2023. Ukrainian organisations were among the primary targets. CISA added this to the KEV catalog on the day of patch release.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5023706

Manual remediation steps

30–60 minutes including reboot

Check Patch Status

# Windows Server 2022
Get-HotFix -Id KB5023706

# Windows Server 2019
Get-HotFix -Id KB5023702

Check for CVE-2023-23397 Exposure

# Microsoft released a detection script — run it in Exchange Management Shell
# https://microsoft.com/en-us/download/details.aspx?id=105130
Get-AcceptedDomain | ForEach-Object {
    Get-CalendarDiagnosticLog -Identity * -MeetingID * 2>$null
}

Apply

1
Download from https://catalog.update.microsoft.com
    1
    WS2022: KB5023706
    1
    WS2019: KB5023702
2
Install as Administrator
3
Restart

Verify

Get-HotFix -Id KB5023706  # or KB5023702
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2023-23397MSRC AdvisoryNVDKBKB5023706
CVEs in this update1 fixes · Patch-to-CVE mapping
Patch IDCVE IDVulnerability Name / TypeCVSSReference
KB5023706CVE-2023-23397Microsoft Outlook — Windows Server 2019 / 20229.8NVD ↗