CVE-2023-23391 Microsoft CVE debrief

Who should care

Organizations and users running Microsoft Office for Android, especially in managed mobile fleets where app versions are centrally deployed and trust in the app UI matters.

Technical summary

NVD classifies CVE-2023-23391 as CVSS 3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. That means the issue requires user interaction, has no privileges required, and is primarily an integrity problem. NVD also lists a vulnerable Microsoft Office Android CPE: cpe:2.3:a:microsoft:office:16.0.16026.20172:*:*:*:*:android:*:*.

Defensive priority

Medium priority. Update Microsoft Office for Android promptly, validate that managed devices are not pinned to the vulnerable build, and use the Microsoft advisory as the authoritative remediation source.

Recommended defensive actions

• Review the Microsoft MSRC advisory for CVE-2023-23391 and apply the recommended update path for Office for Android.
• Check managed Android app deployments to confirm Office for Android is not running the vulnerable build identified by NVD.
• Prioritize updates on devices where Office is used to view or share trusted business content.
• Communicate to users that this issue involves spoofing and depends on user interaction, so visual trust cues should not be taken at face value until patched.

Evidence notes

Official sources provided in the corpus include the CVE record, the NVD detail page, and Microsoft’s MSRC advisory. The NVD metadata lists the CVSS vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N and identifies the vulnerable Android CPE cpe:2.3:a:microsoft:office:16.0.16026.20172:*:*:*:*:android:*:*. The record was published on 2023-03-14 and later modified on 2024-11-21. NVD also lists Microsoft’s MSRC advisory as the patch/vendor reference.

Official resources