CVE-2023-41763

What is Microsoft Skype for Business Server?

Microsoft Skype for Business Server is an on-premises enterprise unified communications (UC) platform providing instant messaging, presence, voice calling, video conferencing, and web conferencing services. It is widely deployed in large enterprise, government, and financial sector environments that cannot use cloud-based Teams due to data residency or compliance requirements. Skype for Business Server's web service layer handles HTTPS requests for user authentication, meeting joins, and management operations — and is typically internet-accessible to allow remote workers to connect. Server-side request forgery (SSRF) vulnerabilities in web service layers arise when attacker-controlled input can cause the server to make HTTP requests to internal network addresses on the attacker's behalf.

Overview

CVE-2023-41763 is a server-side request forgery vulnerability (CWE-918) in Microsoft Skype for Business Server that allows an unauthenticated remote attacker to cause the server to make HTTP requests to arbitrary internal or external URLs. By inducing the server to probe internal network resources, an attacker can obtain internal IP addresses, map internal service topology, and in hybrid or cloud-connected deployments potentially reach cloud metadata APIs or internal APIs not intended to be externally accessible. Microsoft patched CVE-2023-41763 in the October 2023 Patch Tuesday as an actively exploited zero-day — simultaneously added to the CISA KEV catalog on October 10, 2023.

The CVSS score (AV:N/PR:N/UI:N/C:L/I:N/A:N) reflects unauthenticated, no-interaction exploitation with limited (low) confidentiality impact — the SSRF returns partial internal information rather than full credential or secret disclosure, but the network reconnaissance capability is meaningful.

Affected Versions

Technical Details

Server-side request forgery (CWE-918) occurs when a web application uses attacker-controlled input to construct a URL for a server-side HTTP request, without sufficiently validating that the target URL is an allowed external resource. In CVE-2023-41763:

1. Craft a request to the Skype for Business web service — an unauthenticated attacker sends a specially crafted HTTP request to the Skype for Business Server web endpoint containing an embedded URL or parameter that the server processes as a request target
2. Server makes the proxied request — Skype for Business Server makes an outbound HTTP request to the attacker-specified URL — including internal addresses like http://10.0.0.1/, http://169.254.169.254/ (cloud metadata endpoint), or internal service endpoints
3. Response content leaks — the server's response or error message reveals information about the internal resource's availability, response headers, or content — enabling the attacker to map internal network services, identify internal IP ranges, or retrieve cloud instance metadata

The C:L (low confidentiality) impact reflects that not all internal resources are readable via SSRF — responses are typically partial, and sensitive content in the response body may be truncated or filtered. However, even partial internal IP disclosure, service existence confirmation, and cloud metadata retrieval can be operationally significant for an attacker performing pre-attack reconnaissance.

Discovery

Microsoft confirmed CVE-2023-41763 was actively exploited as a zero-day at the time of the October 2023 Patch Tuesday. The simultaneous KEV addition reflects CISA's awareness of active exploitation. The October 2023 Patch Tuesday included multiple information disclosure zero-days (CVE-2023-41763 and CVE-2023-36563), suggesting a coordinated campaign targeting Windows and Office products for reconnaissance and credential theft.

Exploitation Context

SSRF vulnerabilities in internet-accessible enterprise communication platforms are attractive to threat actors for several reasons:

• Pre-attack reconnaissance — mapping internal IP addresses and service topology helps plan subsequent intrusion stages
• Cloud metadata theft — in Azure-hosted or hybrid Skype for Business deployments, SSRF to 169.254.169.254 or Azure IMDS endpoints may yield instance credentials or tokens
• Internal service exploitation — internal APIs and admin interfaces that are not internet-accessible may be reachable from the Skype for Business server's internal network position

The unauthenticated (PR:N) access requirement means any internet-connected Skype for Business Server installation is exposed to reconnaissance without requiring any prior foothold.

Remediation

1. Apply the October 2023 Skype for Business Server cumulative update — patches CVE-2023-41763.
2. Migrate to Microsoft Teams — Microsoft has designated Skype for Business as end-of-mainstream-support; organizations on on-premises Skype for Business should plan migration to Teams to stay on a supported platform.
3. Restrict Skype for Business web service access — if external access to Skype for Business web services is not required, limit inbound access via firewall rules to known partner IP ranges rather than open internet.
4. Block outbound HTTP from Skype for Business servers to internal RFC 1918 ranges — this does not patch the vulnerability but limits the SSRF's ability to reach internal services, reducing the network reconnaissance value.
5. Monitor for unusual outbound HTTP traffic from Skype for Business servers to unexpected destinations, particularly cloud metadata IP ranges (169.254.169.254, 168.63.129.16) or internal subnets.