CISA adds CVE-2023-29360 to the Exploited Vulnerabilities Database

This content has been archived. But, the content is true and relevant to the underlying technology products or infrastructure services.

The Cybersecurity and Security Agency (CISA) added CVE-2023-29360 to the Known Exploited Vulnerabilities database on 29 February 2024. It has allowed 3 weeks to patch this threat i.e. by 21 March 2024.

Salient points

  • CVE-2023-29360 is an Elevation of Privilege vulnerability affecting Microsoft Streaming Service.
  • This is a CVSS 8.4 vulnerability with HIGH severity.
  • It was first detected by the Trend Micro Zero Day initiative in June 2023.
  • This vulnerability was first reported by Microsoft in June 2023. It was successfully patched as part of the June 2023 Patch Tuesday program.
  • This is not a new vulnerability. It is more likely to be exploited if the target systems are unpatched since June 2023.

What versions of Windows are affected?

CVE-2023-29360 affects the following versions of Windows operating systems:

CVE-2024-21338 Vulnerability

Windows VersionBuild NumberFixed in Security Update
Windows Server 2022, 23H2 Edition (Server Core installation)10.0.25398.709KB5034769
Windows 11 Version 23H2 for x64-based Systems10.0.22631.3155KB5034765
Windows 11 Version 23H2 for ARM64-based Systems10.0.22631.3155KB5034765
Windows 10 Version 22H2 for 32-bit Systems10.0.19045.4046KB5034763
Windows 10 Version 22H2 for ARM64-based Systems10.0.19045.4046KB5034763
Windows 10 Version 22H2 for x64-based Systems10.0.19045.4046KB5034763
Windows 11 Version 22H2 for x64-based Systems10.0.22621.3155KB5034765
Windows 11 Version 22H2 for ARM64-based Systems10.0.22621.3155KB5034765
Windows 10 Version 21H2 for x64-based Systems10.0.19044.4046KB5034763
Windows 10 Version 21H2 for ARM64-based Systems10.0.19044.4046KB5034763
Windows 10 Version 21H2 for 32-bit Systems10.0.19044.4046KB5034763
Windows 11 version 21H2 for ARM64-based Systems10.0.22000.2777KB5034766
Windows 11 version 21H2 for x64-based Systems10.0.22000.2777KB5034766
Windows Server 2022 (Server Core installation)10.0.20348.2322KB5034770
Windows Server 202210.0.20348.2322KB5034770
Windows Server 2019 (Server Core installation)10.0.17763.5458KB5034768
Windows Server 201910.0.17763.5458KB5034768
Windows 10 Version 1809 for ARM64-based Systems10.0.17763.5458KB5034768
Windows 10 Version 1809 for x64-based Systems10.0.17763.5458KB5034768
Windows 10 Version 1809 for 32-bit Systems10.0.17763.5458KB5034768

About CVE-2023-29360

We share brief details of CVE-2023-29360 below.

  • CVSS Score of 8.4
  • Impact is the Elevation of Privileges
  • Severity is HIGH

Microsoft Streaming Service contains an untrusted pointer dereference vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

This vulnerability was patched in June 2023 Patch Tuesday security updates. If you have deployed June 2023 cumulative updates or security updates, you would have already patched against CVE-2023-29360.

If you have installed any cumulative update after June 2023, the threat would have been resolved. This is because cumulative monthly updates are cumulative in nature and contain changes of preceding cumulative updates.

So, we must ensure that we have a cumulative update of June 2023 or a later date on the affected Windows operating system.

If you are unable to install the June 2023 cumulative update or any subsequent cumulative update, please consider discontinuing the use of Microsoft Streaming Service.

About Microsoft Streaming Service

Microsoft Stream is an enterprise video platform integrated within the Microsoft 365 ecosystem, designed to facilitate communication, collaboration, and learning within organizations. 

Microsoft Stream Features:

  • Video Creation and Sharing: Users can record their screens, themselves, or Teams meetings, add text, drawings, and effects to personalize videos, and easily share them with colleagues for feedback.
  • Integration with Microsoft 365 Apps: Microsoft Stream is deeply integrated with various Microsoft 365 apps like Teams, SharePoint, Viva Engage, PowerPoint, and OneDrive, allowing seamless video creation and consumption within these platforms.
  • Two Versions: Microsoft offers two versions of Stream – Stream (Classic) and Stream (built on SharePoint). The latter version is the new iteration that offers enhanced video playback experiences and is gradually replacing the classic version.
  • Storage Integration: Videos in the new version of Stream are stored in SharePoint, Teams, and OneDrive alongside other files like documents and presentations.
  • Enhanced User Experience: With features like automatic transcription in multiple languages, viewer analytics, video chapters, and integration into Microsoft Search, Microsoft Stream aims to provide a user-friendly and efficient video-sharing experience.

More Security Stories

You may like to read more cyber-security stories below:

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.