CVE-2023-36399 is a vulnerability classified under CWE-59 (Improper Link Resolution Before File Access) affecting Microsoft Windows Server 2022, 23H2 Edition (Server Core installation). This flaw arises from the Windows Storage component incorrectly resolving symbolic links before accessing files, which can be exploited by an attacker with low-level privileges on the system. By creating or manipulating symbolic links, an attacker can trick the system into accessing or modifying files that should be protected, thereby escalating their privileges. The vulnerability does not require user interaction but does require local access with low privileges, making it a local elevation of privilege (EoP) vulnerability. The CVSS v3.1 base score is 7.1, indicating high severity, with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, meaning the attack vector is local, with low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, but high integrity and availability impacts. No public exploits or active exploitation in the wild have been reported yet. The vulnerability was reserved in June 2023 and published in November 2023. The lack of patch links suggests that a fix may be forthcoming or recently released but not linked here. This vulnerability is critical for environments relying on Windows Server 2022 Core installations, often used in enterprise and cloud infrastructure, where privilege escalation can lead to full system compromise or disruption of services.

For European organizations, this vulnerability poses a significant risk, especially those deploying Windows Server 2022 Core installations in critical infrastructure, cloud services, and enterprise environments. Successful exploitation allows attackers with limited local access to escalate privileges, potentially leading to unauthorized modification or disruption of critical system files and services. This can result in data integrity loss, service outages, and increased risk of lateral movement within networks. Given the high adoption of Windows Server platforms in Europe, particularly in sectors such as finance, manufacturing, healthcare, and government, the impact could be substantial. Additionally, organizations with remote or hybrid work models may face increased risk if local access controls are weak. The absence of known exploits in the wild provides a window for proactive mitigation, but the vulnerability’s nature means that insider threats or attackers who gain initial footholds could leverage it to deepen their access and cause significant damage.

1. Monitor Microsoft security advisories closely and apply patches immediately once available for Windows Server 2022, 23H2 Edition (Server Core installation). 2. Restrict local access to Windows Server systems to trusted administrators and users only, minimizing the attack surface for local privilege escalation. 3. Implement strict file system permissions and audit symbolic link creation and usage to detect and prevent unauthorized link manipulation. 4. Use application whitelisting and endpoint detection and response (EDR) tools to monitor for suspicious activities related to file access and privilege escalation attempts. 5. Employ network segmentation to limit lateral movement opportunities if an attacker gains local access. 6. Conduct regular security assessments and penetration tests focusing on privilege escalation vectors. 7. Educate system administrators about the risks of symbolic link vulnerabilities and best practices for secure server configuration. 8. Consider deploying enhanced logging and alerting for file system changes and privilege escalation attempts on critical servers.