With July's Patch Tuesday release, Microsoft disclosed a zero-day Office and Windows HTML Remote Code Execution Vulnerability, CVE-2023-36884, which it rated "important" severity. Microsoft has observed active in-the-wild exploitation of this vulnerability using specially crafted Microsoft Office documents. It should be noted that exploitation requires the user to open the malicious document.

Unit 42 Threat Intelligence can confirm that this vulnerability has been utilized since at least July 3, 2023. Further analysis is being conducted; an update will be made to this Threat Brief as the analysis is completed.

Microsoft recommends blocking Office applications from creating child processes or setting the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. See the Security Updates page for more information.

Palo Alto Networks customers receive protections from and mitigations for CVE-2023-36884 in the following ways:

• Organizations can engage the Unit 42 Incident Response team for specific assistance with this threat and others.
• Cortex XDR and XSIAM agents help protect against post-exploitation activities associated with exploitation of CVE-2023-36884.

Unit 42 will continue to monitor the situation for updated information, release of proof-of-concept code and evidence of more widespread exploitation. This brief will be updated as more information on the vulnerability and mitigations becomes available.

Table of Contents

Palo Alto Networks Product Protections for CVE-2023-36884
Unit 42 Incident Response
Cortex XDR and XSIAM

Palo Alto Networks Product Protections for CVE-2023-36884

Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.

Unit 42 Incident Response

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America Toll-Free: 866.486.4842 (866.4.UNIT42)
• EMEA: +31.20.299.3130
• APAC: +65.6983.8730
• Japan: +81.50.1790.0200

Cortex XDR and XSIAM

Cortex XDR and XSIAM agents help protect against post exploitation activities associated with exploitation of CVE-2023-36884 using Behavioral Threat Protection, as well as multiple protection modules. Cortex Analytics can help detect suspicious activity.