CVE-2023-32046

What is the Windows MSHTML Platform?

MSHTML (also known as Trident) is Microsoft's legacy HTML rendering engine, originally developed for Internet Explorer. Although IE itself was retired in 2022, MSHTML remains part of Windows as a system component used by Windows applications that render HTML content — including the Windows Help system, some Office applications when displaying rich content, Outlook for HTML email rendering, and legacy applications that embed IE's web control. MSHTML's continued presence as a system component makes vulnerabilities in it significant despite IE's retirement.

Overview

CVE-2023-32046 is a privilege escalation vulnerability in the Windows MSHTML Platform that allows an attacker to gain the privileges of the user who opens a maliciously crafted file. Microsoft disclosed and patched it on July 11, 2023 (Patch Tuesday) as an actively exploited zero-day. The user interaction requirement (opening a crafted file) makes it suitable for phishing-based delivery, with attackers escalating privileges after initial low-privilege access. CISA added it to the KEV catalog on the same day as the patch.

Affected Versions

Technical Details

Microsoft describes CVE-2023-32046 as a privilege escalation in MSHTML triggered when a user opens a specially crafted file. The CVSS vector (AV:L/AC:L/PR:N/UI:R) indicates the attack is locally delivered (the file must be on the victim's system), requires no prior privileges, but does require the user to open the file.

MSHTML processes various file types containing HTML or HTML-adjacent content — .mhtml (MIME HTML), .eml files, HTML Help files, and other web archive formats. A crafted file exploiting this vulnerability causes MSHTML to execute code at a higher privilege level than the user's current context. In a standard user account context, this enables elevation to administrator or SYSTEM level — a critical step in post-exploitation chains.

The attack flow in phishing scenarios: the victim receives and opens an email attachment or downloaded file → MSHTML processes it and triggers the vulnerability → code runs at escalated privilege → attacker deploys additional payload.

Discovery

Microsoft credited Genwei Jiang of Mandiant and Dohyun Lee (@l33d0hyun) of DNSLab at Korea University with the discovery. Active in-the-wild exploitation before the patch indicates the bug was also known to threat actors independently.

Exploitation Context

MSHTML-based vulnerabilities have been a consistent target for sophisticated threat actors. The combination of user interaction (opening a file) with zero prior privilege requirement makes them effective for phishing-delivered privilege escalation. The July 2023 Patch Tuesday also addressed CVE-2023-36884 (Windows/Office HTML RCE) in the same campaign context — together, these zero-days were associated with Storm-0978 (also known as RomCom) activity targeting European and North American organizations.

CISA's same-day KEV addition reflects the active zero-day status and urgency of the patch.

Remediation

1. Apply the July 2023 Windows cumulative update via Windows Update, WSUS, or SCCM.
2. Prioritize patching immediately — zero-day MSHTML vulnerabilities are commonly delivered via phishing attachments and are part of active targeted attack campaigns.
3. Restrict MHTML file handling — consider disabling or restricting MHTML file type associations via Group Policy for environments where MHTML files are not a business requirement.
4. Enable Attack Surface Reduction (ASR) rules — specifically the rule "Block all Office applications from creating child processes" and "Block Office applications from injecting code into other processes," which reduce MSHTML-based exploitation in the Office context.
5. Train users on attachment safety — MSHTML exploits rely on user interaction; reinforcing caution about unexpected email attachments remains an effective defense layer.