CVE-2023-36761: Microsoft Word (Multiple Versions) – Disclosure of Sensitive NTLM Hashes to Unauthorised Actors via Preview Pane

Background & Context

Microsoft Word is a word processor developed by Microsoft. It was first released on October 25, 1983, under the name Multi-Tool Word for Xenix systems. Commercial versions of Word are licensed as a standalone product or as a component of Microsoft 365 suite of software, which can be purchased either with a perpetual license or as part of a Microsoft 365 subscription, respectively.

In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by Group Policy settings, for which different versions of Windows have different default settings.


Vulnerability Summary

Microsoft reports that the preview pane in Microsoft Word contains a security vulnerability. Previewing a specially crafted file can cause the disclosure of New Technology LAN Manager (NTLM) hashes to unauthorised Actors. Net-NTLMv2 hashes are used for authentication in Windows environments so should not be exposed to unauthorised actors.


Impact If Exploited

If a malicious actor gains access to these NTLM hashes, they could be abused in NTLM relay or pass-the-hash attacks to further an attacker’s foothold into an organization. An attacker can potentially impersonate another user, gaining unauthorized access to sensitive data and systems. They could also conduct pass-the-hash attacks, where the attacker uses the hashed version of a password to authenticate themselves without needing to decrypt it. Using a technique known as an exploit chain involving a second vulnerability CVE-2023-36802, an attacker could use both zero-day vulnerabilities in combination in order to obtain user credentials and then take over multiple systems.

NOTE: This vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild as of 2023-09-13. It should be considered a high priority to remediate in vulnerable environments in order to prevent possible exploit.


Affected Product Versions

  • * Microsoft Word 2013 Service Pack 1 (64-bit editions) prior to release 15.0.5589.1001
  • Microsoft Word 2013 Service Pack 1 (32-bit editions) prior to release 15.0.5589.1001
  • Microsoft Word 2013 RT Service Pack 1 prior to release 15.0.5589.1001
  • Microsoft Word 2016 (64-bit edition) prior to release 16.0.5413.1000
  • Microsoft Word 2016 (32-bit edition) prior to release 16.0.5413.1000
  • Microsoft Office LTSC 2021 for 32-bit editions
  • Microsoft Office LTSC 2021 for 64-bit editions
  • Microsoft 365 Apps for Enterprise for 64-bit Systems
  • Microsoft 365 Apps for Enterprise for 32-bit Systems
  • Microsoft Office 2019 for 64-bit editions
  • Microsoft Office 2019 for 32-bit editions


Official Fix & Remediation Guidance

Customers are advised to upgrade to the latest version of Microsoft Word. Security updates are available at the following links (or may also be obtained via built-in security updates to operating system):

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.


Temporary Mitigation & Workarounds

(The vendor has not advised of any alternative temporary mitigation or workarounds)

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.


Category: Sensitive Data Disclosure



AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.


About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses

Get in touch

Please enable JavaScript in your browser to complete this form.