PatchSiren

PatchSiren cyber security CVE debrief

CVE-2023-29335 Microsoft CVE debrief

CVE-2023-29335 is a Microsoft Word Security Feature Bypass Vulnerability with a CVSS 3.1 score of 7.5 (HIGH). Published on May 9, 2023, this vulnerability affects multiple Microsoft products including Word 2013 RT, Word 2013 SP1 RT, Word 2016, Office 2019, Microsoft 365 Apps for Enterprise, Office LTSC 2021, and various Windows 10, Windows 11, and Windows Server versions. The vulnerability requires user interaction and has high attack complexity, but can result in high impact to confidentiality, integrity, and availability when exploited. Microsoft has released patches for affected products. The vulnerability was last modified in the NVD on May 19, 2026. No known exploitation in ransomware campaigns has been documented, and it is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
Microsoft
Product
Microsoft Office 2019
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2023-05-09
Original CVE updated
2026-05-19
Advisory published
2023-05-09
Advisory updated
2026-05-19

Who should care

Organizations running affected Microsoft Office and Windows versions, particularly those with users who regularly handle documents from external sources. Security teams responsible for endpoint protection and patch management should prioritize this vulnerability due to its HIGH severity rating and widespread deployment of affected products.

Technical summary

This vulnerability allows an attacker to bypass security features in Microsoft Word. The attack vector is network-based with high complexity, requiring no privileges but user interaction. Successful exploitation can lead to high impact on confidentiality, integrity, and availability of the affected system. The vulnerability affects Word 2013 RT (including SP1), Word 2016, Office 2019, Microsoft 365 Apps for Enterprise, Office LTSC 2021, and multiple Windows versions that include Word components. Microsoft has issued patches addressing this vulnerability.

Defensive priority

HIGH

Recommended defensive actions

  • Apply Microsoft security updates for affected Word, Office, and Windows versions as referenced in the Microsoft Security Response Center advisory
  • Prioritize patching for systems running Word 2013 RT, Word 2016, Office 2019, and Microsoft 365 Apps for Enterprise where user interaction with documents is common
  • Review and reinforce security awareness training regarding suspicious document handling, as exploitation requires user interaction
  • Consider implementing Microsoft Defender Application Guard or similar sandboxing technologies for Office documents to mitigate impact of potential exploitation
  • Monitor for anomalous Word process behavior and network connections from Office applications as potential indicators of compromise

Evidence notes

CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. Weaknesses identified include CWE-20 (Improper Input Validation) per Microsoft and NVD-CWE-noinfo per NVD. Affected product versions are documented through CPE criteria in the NVD record.

Official resources

Microsoft disclosed this vulnerability on May 9, 2023, as part of their monthly security update cycle. The CVE record was subsequently modified on May 19, 2026, reflecting ongoing maintenance of vulnerability data.