The 2023 April Patch Tuesday comes with fixes for 97 CVEs
Track each individual vulnerability and weigh in the risks
9 min. read
Updated on
Share this article
Improve this guide
Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more
Key notes
- A pretty busy month for a Microsoft Patch Tuesday release, with 128 CVEs.
- Out of all the CVEs, 7 are rated Critical and 90 are rated Important in severity.
- We've included each and everyone in this article, with direct links as well.
Easter is almost upon us, but not everything comes down to flowers, colored eggs, and baby rabbits. There are those who eagerly await Microsoft’s Patch Tuesday rollout.
And, as you know, it’s the second Tuesday of the month, which means that Windows users are looking towards the tech giant in hopes that some of the flaws they’ve been struggling with will finally get fixed.
We have already taken the liberty of providing the direct download links for the cumulative updates released today for Windows 7, 8.1, 10, and 11, but now it’s time to talk CVEs again.
For April, Microsoft released 97 new patches, which is still more than some people were expecting for the third month of 2023.
These software updates address CVEs in:
- Windows and Windows components
- Office and Office Components
- Windows Defender
- SharePoint Server
- Windows Hyper-V
- PostScript Printer
- Microsoft Dynamic
You probably want to know more on the matter, so let’s dive right into it and see what all the fuss is about this month.
Almost 100 security fixes for the Windows OS in April 2023
Let’s just say that March was far from being a busy month for Microsoft, and still, they managed to release a total of 97 updates.
Even though some might see this as a high number, Microsoft released a total of 128 security patches in April of 2022, so this number is actually lower.
Please keep in mind that, out of all the patches released today, seven are rated Critical and 90 are rated Important in severity.
Even though this high volume does seem to be in line with past years, the number of remote code execution (RCE) bugs makes up nearly half the release.
Experts say it is a bit peculiar to see that many RCE fixes in a single month. Keep in mind that none of the bugs disclosed over Teams during Pwn2Own Vancouver are being addressed by Microsoft this month.
Furthermore, one of the new CVEs is listed as under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month.
| CVE | Title | Severity | CVSS | Public | Exploited | Type |
| CVE-2023-28252 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | EoP |
| CVE-2023-28231 | DHCP Server Service Remote Code Execution Vulnerability | Critical | 8.8 | No | No | RCE |
| CVE-2023-28219 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
| CVE-2023-28220 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
| CVE-2023-21554 | Microsoft Message Queuing Remote Code Execution Vulnerability | Critical | 9.8 | No | No | RCE |
| CVE-2023-28291 | Raw Image Extension Remote Code Execution Vulnerability | Critical | 8.4 | No | No | RCE |
| CVE-2023-28232 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical | 7.5 | No | No | RCE |
| CVE-2023-28250 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | Critical | 9.8 | No | No | RCE |
| CVE-2023-28260 | .NET DLL Hijacking Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-28312 | Azure Machine Learning Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2023-28300 | Azure Service Connector Security Feature Bypass Vulnerability | Important | 7.5 | No | No | SFB |
| CVE-2023-24860 | Microsoft Defender Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2023-28309 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 7.6 | No | No | XSS |
| CVE-2023-28314 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 6.1 | No | No | XSS |
| CVE-2023-28313 | Microsoft Dynamics 365 Customer Voice Cross-Site Scripting Vulnerability | Important | 6.1 | No | No | XSS |
| CVE-2023-21769 | Microsoft Message Queuing Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2023-28302 | Microsoft Message Queuing Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2023-28285 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-24883 | Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2023-24884 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-24885 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-24886 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-24887 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-24924 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-24925 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-24926 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-24927 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-24928 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-24929 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-28243 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-28287 | Microsoft Publisher Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-28295 | Microsoft Publisher Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-28288 | Microsoft SharePoint Server Spoofing Vulnerability | Important | 6.5 | No | No | Spoofing |
| CVE-2023-23375 | Microsoft SQL Server Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-23384 | Microsoft SQL Server Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
| CVE-2023-28304 | Microsoft SQL Server Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-28275 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-28311 | Microsoft Word Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-28268 | Netlogon RPC Elevation of Privilege Vulnerability | Important | 8.1 | No | No | EoP |
| CVE-2023-28292 | Raw Image Extension Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-28267 | Remote Desktop Protocol Client Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2023-21729 | Remote Procedure Call Runtime Information Disclosure Vulnerability | Important | 4.3 | No | No | Info |
| CVE-2023-21727 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-24893 | Visual Studio Code Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-28262 | Visual Studio Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2023-28263 | Visual Studio Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2023-28296 | Visual Studio Remote Code Execution Vulnerability | Important | 8.4 | No | No | RCE |
| CVE-2023-28299 | Visual Studio Spoofing Vulnerability | Important | 5.5 | No | No | Spoofing |
| CVE-2023-24914 | Win32k Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2023-28223 | Windows Domain Name Service Remote Code Execution Vulnerability | Important | 6.6 | No | No | RCE |
| CVE-2023-28216 | Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2023-28218 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2023-28227 | Windows Bluetooth Driver Remote Code Execution Vulnerability | Important | 7.5 | No | No | RCE |
| CVE-2023-28249 | Windows Boot Manager Security Feature Bypass Vulnerability | Important | 6.6 | No | No | SFB |
| CVE-2023-28269 | Windows Boot Manager Security Feature Bypass Vulnerability | Important | 6.8 | No | No | SFB |
| CVE-2023-28273 | Windows Clip Service Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2023-28229 | Windows CNG Key Isolation Service Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2023-28266 | Windows Common Log File System Driver Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2023-28277 | Windows DNS Server Information Disclosure Vulnerability | Important | 4.9 | No | No | Info |
| CVE-2023-28254 | Windows DNS Server Remote Code Execution Vulnerability | Important | 7.2 | No | No | RCE |
| CVE-2023-28255 | Windows DNS Server Remote Code Execution Vulnerability | Important | 6.6 | No | No | RCE |
| CVE-2023-28256 | Windows DNS Server Remote Code Execution Vulnerability | Important | 6.6 | No | No | RCE |
| CVE-2023-28278 | Windows DNS Server Remote Code Execution Vulnerability | Important | 6.6 | No | No | RCE |
| CVE-2023-28305 | Windows DNS Server Remote Code Execution Vulnerability | Important | 6.6 | No | No | RCE |
| CVE-2023-28306 | Windows DNS Server Remote Code Execution Vulnerability | Important | 6.6 | No | No | RCE |
| CVE-2023-28307 | Windows DNS Server Remote Code Execution Vulnerability | Important | 6.6 | No | No | RCE |
| CVE-2023-28308 | Windows DNS Server Remote Code Execution Vulnerability | Important | 6.6 | No | No | RCE |
| CVE-2023-28226 | Windows Enroll Engine Security Feature Bypass Vulnerability | Important | 5.3 | No | No | SFB |
| CVE-2023-28221 | Windows Error Reporting Service Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2023-24912 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2023-28276 | Windows Group Policy Security Feature Bypass Vulnerability | Important | 4.4 | No | No | SFB |
| CVE-2023-28238 | Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability | Important | 7.5 | No | No | RCE |
| CVE-2023-28244 | Windows Kerberos Elevation of Privilege Vulnerability | Important | 8.1 | No | No | EoP |
| CVE-2023-28298 | Windows Kernel Denial of Service Vulnerability | Important | 5.5 | No | No | DoS |
| CVE-2023-28222 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.1 | No | No | EoP |
| CVE-2023-28236 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2023-28248 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2023-28272 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2023-28293 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2023-28253 | Windows Kernel Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2023-28271 | Windows Kernel Memory Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2023-28237 | Windows Kernel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-28235 | Windows Lock Screen Security Feature Bypass Vulnerability | Important | 6.8 | No | No | SFB |
| CVE-2023-28270 | Windows Lock Screen Security Feature Bypass Vulnerability | Important | 6.8 | No | No | SFB |
| CVE-2023-28217 | Windows Network Address Translation (NAT) Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2023-28247 | Windows Network File System Information Disclosure Vulnerability | Important | 7.5 | No | No | Info |
| CVE-2023-28240 | Windows Network Load Balancing Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-28225 | Windows NTLM Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2023-28224 | Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability | Important | 7.1 | No | No | RCE |
| CVE-2023-28246 | Windows Registry Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2023-28297 | Windows Remote Procedure Call Service (RPCSS) Elevation of Privilege Vulnerability | Important | 8.8 | No | No | EoP |
| CVE-2023-24931 | Windows Secure Channel Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2023-28233 | Windows Secure Channel Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2023-28234 | Windows Secure Channel Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2023-28241 | Windows Secure Socket Tunneling Protocol (SSTP) Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2023-28228 | Windows Spoofing Vulnerability | Important | 5.5 | No | No | Spoofing |
| CVE-2023-28274 | Windows Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2023-28284 * | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | Moderate | 4.3 | No | No | SFB |
| CVE-2023-24935 * | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Low | N/A | No | No | Spoofing |
| CVE-2023-28301 * | Microsoft Edge (Chromium-based) Tampering Vulnerability | Low | 4.2 | No | No | Tampering |
Let’s look at CVE-2023-2825 for one second. This is the one bug under active attack this month, and you might know it because there was a similar 0-day patched in the same component just two months ago.
Apparently, the original fix was insufficient and attackers have found a method to bypass that fix. There is still no information about how widespread these attacks may be.
Please note that this type of exploit is typically paired with a code execution bug to spread malware or ransomware.
On the other hand, CVE-2023-21554 receives Microsoft’s highest exploitability rating. This one allows a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled.
Know that this service is disabled by default but is commonly used by many contact center applications, as it listens to TCP port 1801 by default, so blocking this at the perimeter would prevent external attacks.
CVE-2013-3900 is a 10-year-old patch being reissued. You might find this one a bit familiar, and it’s because it was used by a threat actor in the recent 3CX attacks.
Back in the day, this was an opt-in fix, meaning admins had to opt in to get this fix. With this revision, add fixes for additional platforms and adds further recommendations for enterprises.
Looking at the remaining Critical-rated patches, there’s another dangerous bug in Pragmatic General Multicast (PGM) that’s similar to the MSMQ bug already discussed.
That being said, this bug is listed as not exploitable as the Messaging Queue vulnerability. There’s also a bug in the DHCP server, but it may not be as severe as it initially seems.
In fact, it requires a network-adjacent attacker to send an affected DHCP server a specially crafted RPC call. DHCP is not a routable protocol (or a secure one), so external threat actors can’t take advantage of this vulnerability.
Moving on, there are a couple of Critical-rated bugs in the Layer 2 Tunneling Protocol and the Point-to-Point Tunneling Protocol.
There have been plenty of similar bugs that received fixes over the last few months, but none have ever been reported as being exploited in the wild.
This final Critical-rated bug impacts the Raw Image Extension, and viewing a specially-crafted file could actually lead to code execution.
Let’s also mention the three cross-site scripting (XSS) bugs in Dynamics 365, which break the streak of five XSS bugs in Dynamics seen in the last two months.
Feel free to check each individual CVE and find out more about what it means, how it manifests, and what scenarios can malicious third parties use to exploit them.
Have you found any other issues after installing this month’s security updates? Share your experience with us in the comments section below.
