CVE-2023-36874

What is the Windows Error Reporting Service?

The Windows Error Reporting (WER) Service — implemented by wermgr.exe and the WerSvc service — is a Windows component that collects crash data, creates dump files, and reports application failures to Microsoft. WER runs with SYSTEM privileges to access crash data from all processes, including those running as other users. During error reporting, WER creates temporary files and directories in predictable locations. This combination — SYSTEM-level file operations in predictable paths — makes WER a classic target for symlink-based privilege escalation attacks.

Overview

CVE-2023-36874 is a symlink-based privilege escalation vulnerability in the Windows Error Reporting Service that allows a local attacker with low-level access to escalate privileges to SYSTEM. Microsoft patched it on July 11, 2023 (Patch Tuesday) as an actively exploited zero-day. CISA added it to the KEV catalog the same day, reflecting confirmed in-the-wild exploitation as part of the broader July 2023 campaign cluster.

Affected Versions

Technical Details

The vulnerability (CWE-59 — improper link resolution before file access) is a symlink attack against the Windows Error Reporting Service. When WER processes a crash report, it creates or accesses files in a temporary directory under %LOCALAPPDATA%\CrashDumps or a similar user-writable path. The WER service, running as SYSTEM, follows these paths and performs file operations (create, write, rename) in what it expects to be a user's temporary directory.

A low-privileged attacker can:

1. Create a directory or file at the expected WER temporary path.
2. Replace it with a symbolic link pointing to a sensitive system location (e.g., a system directory or a privileged service's configuration file).
3. Trigger a crash (or wait for one to occur naturally).
4. When WER's SYSTEM-privileged file operation follows the symlink, it writes to the attacker-controlled target — enabling arbitrary file write as SYSTEM.

Arbitrary file write as SYSTEM can be leveraged into full SYSTEM code execution through various techniques (e.g., writing a malicious DLL to a SYSTEM service's directory).

Discovery

Microsoft credited Vlad Stolyarov and Brendan Watkins of Google's Threat Analysis Group (TAG). TAG's involvement suggests the zero-day was discovered during investigation of targeted attack activity.

Exploitation Context

CVE-2023-36874 was exploited in the wild as part of the Storm-0978 (RomCom) attack campaign documented around the July 2023 NATO Summit in Vilnius, Lithuania. The same campaign leveraged CVE-2023-36884 (Windows/Office HTML RCE) for initial access and used local privilege escalation vulnerabilities to reach SYSTEM. Targets included organizations involved in the NATO Summit and entities supporting Ukraine, consistent with Russian intelligence collection priorities.

The combination of a phishing-delivered RCE (CVE-2023-36884) with a local EoP (CVE-2023-36874) represents a complete attack chain from initial access to SYSTEM-level persistence.

Remediation

1. Apply the July 2023 Windows cumulative update — the fix corrects the insecure file handling in WER.
2. Deploy Windows updates promptly — kernel and SYSTEM-level EoP zero-days like this are actively weaponized as part of complete attack chains; patch lag directly increases exposure.
3. Monitor for unusual file system operations by WER — wermgr.exe or WerFault.exe writing to unexpected locations (outside %LOCALAPPDATA%\CrashDumps or %WINDIR%\Temp) should be flagged.
4. Restrict SeCreateSymbolicLinkPrivilege where possible — this privilege, held by standard users in some configurations, enables the symlink creation step of this attack.
5. Enable Windows Defender Exploit Guard and Protected Process features — these add behavioral monitoring that can detect privilege escalation patterns even from zero-day exploits.