CVE-2023-28295 - Microsoft Publisher Remote Code Execution Vulnerability Explained (with Exploit Details)

In April 2023, Microsoft patched a serious security flaw in Microsoft Publisher — the popular desktop publishing application that ships with Microsoft Office. If you’re a Windows user or your organization lets people open Publisher files, you need to understand this bug, called CVE-2023-28295.

This post will cover what the vulnerability is, how it can be exploited (with a code snippet), and what you should do.

What is CVE-2023-28295?

CVE-2023-28295 is a remote code execution (RCE) vulnerability in Microsoft Publisher. In simple words: if an attacker creates a malicious Publisher file (with extension .pub) and tricks someone into opening it, the attacker can run code on that person’s computer — potentially taking full control.

Microsoft’s official security advisory is here:  
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28295

This bug does *not* require the victim to enable macros or do anything fancy. Simply opening the Publisher file is enough to trigger the attack.

How Does the Exploit Work?

Publisher, behind the scenes, parses objects (like embedded scripts, fonts, images, etc.) described in the .pub file. A specially crafted file can trigger memory corruption. This gives the attacker the ability to execute what they want — most often, downloading and running malware.

Victim receives the .pub file via email or download and opens it.

3. The malicious payload inside the file executes, giving the attacker remote access or letting them install ransomware/spyware.

Simple Exploit Example

Here’s a conceptual Python snippet to show *how* a .pub file can be modified.  
*Note: This example does not create a real exploit, but shows how attackers might inject raw shellcode in a file format that parses user-controlled inputs.*

# Dummy example: inject a "payload" into a .pub file (Publisher file is OLE2 structured)
import olefile

malicious_payload = b"\x90" * 100 + b"PAYLOAD"

with olefile.OleFileIO('clean_template.pub', write_mode=True) as ole:
    # Publisher files usually have a stream named "Contents"
    if ole.exists('Contents'):
        stream = ole.openstream('Contents')
        data = stream.read()
        # Find a place to insert malicious payload
        data = data.replace(b'PLACEHOLDER', malicious_payload)
        ole.write_stream('Contents', data)
    else:
        print('No Contents stream found!')

Attackers figured out what bytes to change or add to cause the memory corruption bug.  
You can find real-world exploits on exploit databases and GitHub (see references below).

Exploit Tools and Public PoCs

* Proof of Concept (PoC) on GitHub
* Exploit database entry

Some tools generate a Publisher file containing malicious code to trigger this vulnerability. Most public PoCs only crash Publisher, but skilled attackers can turn that into reliable code execution.

Impact

If exploited, the attacker gets the same rights as the user who opened the file. This means on a regular computer, they could:

Move deeper into your network

If you use Microsoft Publisher, or anyone in your company does, you must treat this as a critical issue.

Patch your systems!

- Install Microsoft’s April 2023 Security Update

References

- Microsoft Advisory CVE-2023-28295
- NIST NVD Entry
- Exploit Database
- GitHub PoC


Takeaway:  
CVE-2023-28295 is a critical vulnerability in Microsoft Publisher. Patch fast. Educate your users. Block unknown .pub files. Because just opening a file can let attackers in — it’s that simple.

Timeline

Published on: 06/17/2023 01:15:00 UTC
Last modified on: 06/17/2023 02:32:00 UTC