Yesterday, for its May 2023 Patch Tuesday, Microsoft released a critical security update for Domain Controllers and Windows Server installations offering Active Directory Lightweight Directory Services. This vulnerability is known as CVE-2023-28283 and rated with CVSSv3.1 scores of 8.1/7.1.
A remote code execution vulnerability exists in the Windows Lightweight Directory Access Protocol (LDAP). An adversary who successfully exploited the vulnerability could run arbitrary code within the context of the LDAP service over the network.
Successful exploitation of this vulnerability requires an adversary to win a race condition.
The vulnerability was responsibly disclosed to Microsoft by Yuji Chen with Cyber KunLun.
Affected Operating Systems
Windows Server installation dating back to Windows Server 2008, that are configured as Domain Controllers or offer Active Directory Lightweight Directory Services (AD LDS) are at risk from this vulnerability. Both Server Core and Full installations of Windows Server are affected.
Microsoft has not identified any mitigating factors for this vulnerability.
Call to Action
I urge you to install the necessary security updates on Windows Server installations running as Active Directory Domain Controllers and Windows Server installations offering Active Directory Lightweight Directory Services (AD LDS), in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations running as Active Directory Domain Controllers and Windows Server installations offering AD LDS, in the production environment.