CVE-2023-21715

What is Microsoft Office Publisher?

Microsoft Publisher is the desktop publishing application in the Microsoft Office suite, used to create newsletters, brochures, postcards, and other print-layout documents. Publisher supports VBA (Visual Basic for Applications) macros — the same macro engine used in Word, Excel, and other Office applications. Since Office 2016, Microsoft has implemented increasingly strict macro security policies, including blocking macros in files downloaded from the internet (Mark of the Web / MOTW) and organization-managed policies that prohibit macros from running by default. Security feature bypass vulnerabilities in Office applications that allow macros to run despite these protections are a high-priority attack vector for initial access.

Overview

CVE-2023-21715 is a security feature bypass vulnerability (CWE-863) in Microsoft Office Publisher that allows a locally authenticated attacker to open a malicious Publisher document that runs VBA macros even when Office macro execution is restricted by organizational policy. It was patched in February 2023 Patch Tuesday as an actively exploited zero-day — simultaneously added to the CISA KEV catalog. The attacker must convince the user to open a malicious .pub file, but once opened, Publisher bypasses the configured macro restrictions and executes the embedded VBA code. This provides an initial access or lateral movement vector that circumvents Microsoft's macro defense investments.

Affected Versions

Technical Details

Microsoft Office enforces macro security through a combination of policies — including group policy settings that control which locations or document types are allowed to run macros, and MOTW (Mark of the Web) tracking that flags documents downloaded from the internet. CWE-863 (Incorrect Authorization) describes a failure where security enforcement logic incorrectly grants permissions that should be denied.

CVE-2023-21715 specifically affects Microsoft Publisher's macro authorization logic. When a Publisher file containing macros is opened, Publisher's authorization check fails to properly enforce the organization's configured macro restriction policy — allowing the macros to run as if they were trusted, even when group policy or Trust Center settings should block execution.

The CVSS vector (AV:L/PR:L/UI:R) reflects that:

• The attack is local (AV:L) — the attacker provides the malicious .pub file, which the victim must open
• Low privilege is required (PR:L) — a standard user can both create and deliver the malicious document
• User interaction is required (UI:R) — the victim must open the file, which may arrive via email, a download link, or a shared drive

VBA macros in Publisher can perform any action the user has permission to do: downloading and executing additional malware, modifying files, stealing credentials, establishing C2 connectivity, or pivoting to other systems.

Discovery

CVE-2023-21715 was reported to Microsoft and was confirmed to be actively exploited in the wild at the time of patching. The simultaneous KEV addition on Patch Tuesday confirms this was a zero-day — attackers discovered and weaponized it before Microsoft became aware and released the fix.

Exploitation Context

Office macro security bypasses are persistent targets for initial access brokers and threat actors delivering malware. Microsoft's 2022 decision to block macros by default in internet-downloaded Office files significantly raised the bar for macro-based delivery — attackers responded by searching for bypass techniques. CVE-2023-21715's Publisher-specific bypass provided a vector that circumvented organization-wide macro policies, which organizations relied on as a defense against macro malware even for files not flagged by MOTW. Publisher files (.pub) are less common than Word or Excel documents, potentially reducing scrutiny from email security gateways and end users.

Remediation

1. Apply the February 2023 Microsoft Office/Publisher update — the fix closes the macro policy bypass in Publisher.
2. Keep Office updated monthly — macro security bypass vulnerabilities are actively researched; monthly patching maintains the security posture that Microsoft's policy investments are designed to provide.
3. Block Publisher file types at the email gateway if Publisher documents are not used in your environment — .pub files are unnecessary for most organizations and blocking them eliminates the delivery vector.
4. Apply Microsoft's macro blocking policies via group policy or Microsoft 365 admin center — even with this CVE patched, ensuring macro policies are correctly configured provides defense in depth.
5. Enable Attack Surface Reduction (ASR) rules in Microsoft Defender — specifically rules that block Office applications from creating child processes and from injecting code into other processes.