PatchSiren cyber security CVE debrief
CVE-2023-33152 Microsoft CVE debrief
CVE-2023-33152 is a Microsoft ActiveX Remote Code Execution vulnerability affecting multiple Microsoft Office products. Published on July 11, 2023, this vulnerability carries a HIGH severity CVSS score of 7.0. The vulnerability was last modified on May 19, 2026, indicating ongoing updates to its record. Microsoft has released patches and vendor advisories to address this issue. The vulnerability affects Microsoft 365 Apps Enterprise (x64 and x86), Office 2013 SP1 (x64, x86, and RT), Office 2016 (x64 and x86), Office 2019 (x64 and x86), and Office Long Term Servicing Channel 2021 (x64 and x86). The CVSS vector indicates this is a local attack vector with high attack complexity, requiring no privileges but user interaction, with high impact on confidentiality, integrity, and availability. The weakness has been associated with CWE-122 (Heap-based Buffer Overflow) according to Microsoft's security response center, though NVD lists it as NVD-CWE-noinfo.
- Vendor
- Microsoft
- Product
- Microsoft Office 2019
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-07-11
- Original CVE updated
- 2026-05-19
- Advisory published
- 2023-07-11
- Advisory updated
- 2026-05-19
Who should care
Organizations running Microsoft Office 2013 SP1, 2016, 2019, Microsoft 365 Apps Enterprise, or Office LTSC 2021 should prioritize patching. Security teams should focus on email and document security controls given the user interaction requirement for exploitation.
Technical summary
This vulnerability exists in Microsoft ActiveX controls used by Office applications. Successful exploitation requires user interaction, such as opening a malicious document. The attack complexity is high, but successful exploitation results in complete compromise of confidentiality, integrity, and availability on the affected system. The vulnerability affects a broad range of Office versions from 2013 SP1 through Microsoft 365 Apps Enterprise and Office LTSC 2021.
Defensive priority
HIGH
Recommended defensive actions
- Apply Microsoft security updates for affected Office products as provided in the July 2023 Patch Tuesday release.
- Review Microsoft Security Response Center guidance for CVE-2023-33152 for deployment prioritization.
- Consider restricting ActiveX controls in Microsoft Office applications through Group Policy or Trust Center settings where business requirements permit.
- Monitor for suspicious Office documents that may attempt to leverage ActiveX vulnerabilities.
- Ensure Microsoft 365 Apps, Office 2019, Office 2016, and Office 2013 SP1 installations are updated to patched versions.
Evidence notes
CVE published 2023-07-11; modified 2026-05-19. CVSS 3.1 vector: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. Affected products confirmed via NVD CPE criteria. Microsoft assigned CWE-122; NVD assigned NVD-CWE-noinfo.
Official resources
-
CVE-2023-33152 CVE record
CVE.org
-
CVE-2023-33152 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Microsoft disclosed this vulnerability on July 11, 2023, with patches and vendor advisories available through their Security Response Center.