Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Office and Windows HTML RCE in Microsoft Office/Windows Search

IdentifiersCVE-2023-36884CWE-94

CVE-2023-36884 is a remote code execution vulnerability affecting Microsoft Office and Windows, described by Microsoft and multiple supporting sources as an Office/Windows HTML RCE and also as a Windows Search remote code execution issue. It was exploited in the wild as a zero-day via specially crafted Microsoft Office, particularly Word, documents delivered through phishing. The attack chain bypassed security mechanisms built into Microsoft Office applications and enabled command execution in the victim’s context. The available content does not identify the exact vulnerable function, but it consistently ties exploitation to malicious Office documents, MSHTML/HTML handling, and cross-protocol file navigation behavior leveraged to escape normal Office protections.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote code execution in the context of the targeted user. Reported downstream impacts include execution of attacker-controlled commands, installation of backdoors such as RomCom-like payloads, data theft, system damage, credential theft support activity, and establishment of persistence for follow-on intrusion activity. In observed campaigns, the vulnerability was used for targeted intrusions against government, defense, telecom, and financial organizations.

Mitigation

If you can’t patch tonight, do this now.

Before patching, and as defense-in-depth afterward, Microsoft recommended enabling the Attack Surface Reduction rule 'Block all Office applications from creating child processes,' which was reported to prevent the observed exploit chain. Microsoft Defender for Office 365 and Microsoft 365 Apps version 2302 and later were also described as providing protection. For organizations unable to use those protections, Microsoft recommended setting the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key under HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION with affected application names set to 1. Microsoft noted this workaround should be tested because it may affect normal functionality.

Remediation

Patch, then assume compromise.

Microsoft released security updates for CVE-2023-36884 on 2023-08-08. Apply the August 2023 Microsoft security updates that address CVE-2023-36884; these supersede earlier temporary mitigations. Ensure Microsoft 365 Apps are updated to protected versions and validate deployment across affected Office and Windows systems.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (4 hidden).

VALID 1 / 5 TOTALView more in app
CVE-2023-36884-MS-Office-HTML-RCEMaturityPoCVerified exploit

This repository provides a proof-of-concept exploit for CVE-2023-36884, a Microsoft Office remote code execution vulnerability exploited via crafted OOXML (DOCX) documents. The main script, 'gen_docx_with_rtf_altchunk.py', automates the creation of a DOCX file containing an RTF altChunk. The RTF file is modified to include a linked OLE object pointing to an attacker-controlled URL (such as an HTTP server or SMB share). When a victim opens the generated DOCX in Microsoft Office, the application processes the altChunk and the OLE object, potentially triggering remote code execution or leaking NTLM hashes to the attacker's server. The repository consists of a Python script for document generation and a README with usage instructions and background on the vulnerability. No weaponized payload is included; the exploit demonstrates the document crafting technique rather than delivering a full attack chain.

jakabakosDisclosed Sep 28, 2023pythondocumentnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows 10 1507operating_system
Microsoft CorporationWindows 10 1607operating_system
Microsoft CorporationWindows 10 1809operating_system
Microsoft CorporationWindows 10 21h2operating_system
Microsoft CorporationWindows 10 22h2operating_system
Microsoft CorporationWindows 11 21h2operating_system
Microsoft CorporationWindows 11 22h2operating_system
Microsoft CorporationWindows Server 2008operating_system
Microsoft CorporationWindows Server 2008 R2operating_system
Microsoft CorporationWindows Server 2008 Sp2operating_system
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Server 2012 R2operating_system
Microsoft CorporationWindows Server 2016operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

34 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

34 SOURCESView more in app
securelistNews
May 5, 2026
Vulnerability landscape in Q4 2025 | Securelist

A Windows Search vulnerability that enables command execution while bypassing Microsoft Office security protections.

Read more
securelistNews
Apr 16, 2026
The vulnerability landscape in Q1 2026 | Securelist

A Windows Search vulnerability that enables command execution while bypassing Microsoft Office security mechanisms.

Read more
splunk researchNews
Feb 25, 2026
Detection: Windows Office Product Spawned Rundll32 With No DLL | Splunk Security Content

A remote code execution vulnerability affecting Microsoft Office and Windows HTML handling, referenced as an associated analytic story.

Read more
cyfirma newsNews
Feb 10, 2026
Weekly Intelligence Report - 06 February 2026 - CYFIRMA

A critical vulnerability listed as affecting Microsoft Windows / Netlogon Remote Protocol (MS-NRPC) in the report’s Dragonfly/TA17-293A exploited-vulnerabilities table.

Read more
+25 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence9

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-36884
NVD
nvd.nist.gov/vuln/detail/CVE-2023-36884
MITRE CWE · CWE-94
cwe.mitre.org
Patch
msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-36884