• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Project of the Week
  • About Us
    SEARCH
Compliance, IT Infrastructure, Network Security

February 2023 Patch Tuesday: Three Exploited; Exchange, Word Bugs

Microsoft's February 2023 Patch Tuesday includes fixes for 75 security bugs, including three being actively exploited and four Exchange RCEs.

February 14, 2023 Zachary Comeau Leave a Comment

June 2023 Patch Tuesday. Patch Tuesday,

[Editor’s note: An earlier version of this article stated there were two exploited bugs patched this month. It has been updated to reflect the additional exploited vulnerability.]

Microsoft has released patches to fix 75 security bugs in the February 2023 Patch Tuesday release, including one each in Microsoft Office, Windows Common Log File System Driver and Windows Graphics Component that are being actively exploited, as well as a handful of Exchange remote code execution vulnerabilities.

The 75 fixed vulnerabilities is a much lower number than the 98 bugs Microsoft patched in its first security update release of the year in January, but there are still a handful that warrant closer inspection, testing and deployment.

According to analysis from Zero Day Initiative, Tenable, and other cybersecurity researchers, here are the February 2023 Patch Tuesday bugs IT admins should prioritize patching:

CVE-2023-21529, CVE-2023-21706, CVE-2023-21707 and CVE-2023-21710 – Microsoft Exchange Server Remote Code Execution Vulnerabilities

There are multiple remote code execution Exchange bugs getting fixes this month. According to Tenable, CVE-2023-21710 received a CVSSv3 score of 7.2 while the other three CVEs were assigned CVSSv3 scores of 8.8. The vulnerabilities allow a remote attacker to execute arbitrary code on a vulnerable server, via a network call.

According to Tenable’s analysis, CVE-2023-21529, CVE-2023-21706 and CVE-2023-21707 are similar to CVE-2022-41082, an authenticated remote code execution bug that was publicly disclosed in September 2022 as part of ProxyNotShell.

Microsoft released mitigations in September 2022 to protect vulnerable servers until a patch was released in their November 2022 Patch Tuesday. A bypass of this mitigation, called OWASSRF (CVE-2022-41080), was then released in December 2022, per Tenable.

CVE-2023-21715 – Microsoft Office Security Feature Bypass Vulnerability

This bug is a security feature bypass in Microsoft Office, and it is one of the two bugs patched this month that are being actively exploited. However, exploitation requires a local, authenticated user to download and open an attacker-created file on a vulnerable system, so this requires some social engineering.

CVE-2023-23376 – Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability

This is the other bug listed under active attack this month, and like it’s twin, there is little information about this vulnerability. According to Microsoft, the bug allows an attacker to exploit code as SYSTEM, which could lead to a complete system takeover. A remote code execution bug is likely being used in conjunction with this one to spread malware or ransomware. This is the third bug CLFS flaw patched in the last year, including one that was disclosed by the National Security Agency and CrowdStrike in April 2022. This one was discovered by Microsoft’s Threat Intelligence Center, which suggests use by a sophisticated threat actor.

CVE-2023-21716 – Microsoft Word Remote Code Execution Vulnerability

This vulnerability gets a CVSS of 9.8, so IT admins should prioritize this Microsoft Word bug. The Outlook Preview Pane is an attack vector, and an attacker could use the bug to execute code at the level of the user without user interaction. It can be exploited by an unauthenticated attacker sending an email with a rich text format (RTF) payload, which allows for command execution if opened.

The Microsoft advisory for this vulnerability links to MS08-026 and KB922849 for guidance on how to prevent Microsoft Office from opening RTF documents from unknown or untrusted sources by using the Microsoft Office File Block policy, according to Tenable.

CVE-2023-21823 – Microsoft Windows Graphics Component Elevation of Privilege Vulnerability

This is EoP vulnerability in the Microsoft Windows Graphics Component gets a CVSSv3 score of 7.8 and was exploited in the wild as a zero day, according to Tenable. Exploitation of this flaw requires an attacker to log onto a vulnerable system and execute a specially crafted application. Successful exploitation would grant an attacker the ability to to run processes in an elevated context.

For more information on these bugs and the entire February 2023 Patch Tuesday release, read analysis from Tenable and Zero Day Initiative.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Cybersecurity, Microsoft, Patch management, Patch Tuesday

Related Content:

  • Cloud, SASE, Aryaka How the Cloud is Redefining Media Production and…
  • Software License Spending, SaaS, cloud apps Your Guide to Choosing the Best Cloud Security…
  • IT Budget 2025 Budgeting Tips for IT Pros/CIOs in 2025
  • A close-up of a technician’s hands typing and navigating through troubleshooting steps on a computer in a well-lit office. , natural light, soft shadows, with copy space Five Ways to Reduce Desktop Support Troubleshooting Time

Free downloadable guide you may like:

  • Practical Design Guide for Office SpacesPractical Design Guide for Office Spaces

    Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-face time with co-workers. When designing the office spaces — and meeting spaces in particular — enabling that connection between co-workers is crucial. But introducing the right collaboration technology in meeting spaces can […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Contact Us
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSYour Privacy ChoicesTERMS OF USEPRIVACY POLICY

© 2025 Emerald X, LLC. All rights reserved.