Office and Windows HTML Remote Code Execution Vulnerability

Created:2023/07/12 | Revised:2023/07/12

UDP: This vulnerability is now covered by a patch and has been superseded. No further action is needed.


Severity:A level of a security risk associated with a vulnerability exploitation
CVSS:Indication of a severity level of each CVE
Countermeasure:Availability of measures to reduce a probability of an attack or an impact of a threat
Public Aware:Availability of a public announcement of a vulnerability
Weaponized:Vulnerability being abused by exploit or malware


Pre-patching action is required to protect from remote code execution vulnerability.


Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products.

Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents, using lures related to the Ukrainian World Congress.

Storm-0978 (also referred to as RomCom, the name of their backdoor, by other vendors) is a cybercriminal group based out of Russia, known to conduct opportunistic ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations. Storm-0978 operates, develops, and distributes the RomCom backdoor. The actor also deploys the Underground ransomware, which is closely related to the Industrial Spy ransomware first observed in the wild in May 2022. The actor’s latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom.

Storm-0978 has conducted phishing operations with lures related to Ukrainian political affairs and targeting military and government bodies primarily in Europe. Based on the post-compromise activity identified by Microsoft, Storm-0978 distributes backdoors to target organizations and may steal credentials to be used in later targeted operations.

The actor’s ransomware activity, in contrast, has been largely opportunistic in nature and entirely separate from espionage-focused targets. Identified attacks have impacted the telecommunications and finance industries.


An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.


Fix using Syxsense Console

This vulnerability can be automatically fixed within the Syxsense console.

Check the example of Syxsense Cortex Workflow implementation.

Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.

In current attack chains, the use of the Block all Office applications from creating child processes Attack Surface Reduction Rule will prevent the vulnerability from being exploited.

Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation.

Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.

Add the following application names to this registry key as values of type REG_DWORD with data 1.


  • Excel.exe
  • Graph.exe
  • MSAccess.exe
  • MSPub.exe
  • PowerPoint.exe
  • Visio.exe
  • WinProj.exe
  • WinWord.exe
  • Wordpad.exe

Additionally, Microsoft recommends the following mitigations to reduce the impact of activity associated with Storm-0978’s operation.

©2024 by Syxsense Inc. All Rights Reserved

Contact Us
Patch Management
Vulnerability Scanner