Skip to content

Microsoft fixes 3 exploited zero-days and 77 other flaws

  • by
  • 2 min read

Microsoft has fixed three exploited zero-day vulnerabilities in its February 14 patch Tuesday update, which also fixed 77 flaws, including nine critical ones. These nine vulnerabilities allowed remote code execution on vulnerable devices.

As for the three actively exploited zero-day vulnerabilities affect the Windows Graphics component, Microsoft Publisher and the Windows Common Log File System driver.

CVE codeAffected productVulnerability typeDescription
CVE-2023-21823Windows Graphics ComponentRemote code executionIf exploited, allows a hacker to remotely execute commands with System-level privileges.
CVE-2023-21715Microsoft PublisherSecurity features bypassIf exploited, allows an attacker to allow macros in a malicious Publisher document to run without warning the user.
CVE-2023-23376 Windows Common Log File System driverPrivilege escalationIf exploited, allows an attacker to gain System-level privileges.

The nine critical vulnerabilities affect .NET, Visual Studio, Word, SQL Server, Windows iSCSI and Windows Protected EAP (PEAP). These are tracked with the following CVE codes:

CVE CodeAffected ProductVulnerability type
CVE-2023-21808.NET and Visual StudioRemote code execution
CVE-2023-21716Microsoft Office WordRemote code execution
CVE-2023-21718SQL ServerSQL ODBC driver remote code execution
CVE-2023-21815Visual StudioRemote code execution
CVE-2023-23381Visual StudioRemote code execution
CVE-2023-21803Windows iSCSIiSCSI Discovery Service remote code execution
CVE-2023-21692Windows Protected EAP (PEAP)Remote code execution
CVE-2023-21690Windows Protected EAP (PEAP)Remote code execution
CVE-2023-21689Windows Protected EAP (PEAP)Remote code execution

Overall, the updates labelled KB5022845 and KB5022836 for Windows 11 and KB5022834 and KB5022840 for Windows 10 fixed the following bugs.

  • 12 Privilege escalation bugs
  • 2 security bypass bugs
  • 38 remote code execution (RCE) bugs
  • 8 information disclosure bugs
  • 10 DoS bugs
  • 8 spoofing vulnerabilities

Keep in mind that some of these updates will be delivered using the Microsoft Store, meaning users who have disabled automatic updates from the Store will either have to manually install them or enable automatic updates from the Microsoft Store. The rest of the updates will be delivered through Windows Update and should install themselves automatically on most systems.

In the News: Pepsi Bottling Ventures leaks sensitive data in malware attack


Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: