PatchSiren cyber security CVE debrief
CVE-2023-33162 Microsoft CVE debrief
CVE-2023-33162 is a Microsoft Excel information disclosure vulnerability with a CVSS 3.1 score of 5.5 (MEDIUM severity). The vulnerability was published on July 11, 2023, and last modified on May 19, 2026. The issue allows an attacker to disclose sensitive information through local attack vectors, requiring user interaction but no privileges. The vulnerability affects multiple Microsoft Office and Microsoft 365 Apps deployments across Windows (x64/x86), macOS, and Office Online Server platforms, including Office 2013 SP1, Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps Enterprise editions. Microsoft has released patches and vendor guidance to address this vulnerability.
- Vendor
- Microsoft
- Product
- Microsoft Office 2019
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-07-11
- Original CVE updated
- 2026-05-19
- Advisory published
- 2023-07-11
- Advisory updated
- 2026-05-19
Who should care
Organizations running affected Microsoft Office versions in environments where users open Excel documents from external or untrusted sources should prioritize remediation. Security teams responsible for endpoint protection, patch management administrators, and IT operations supporting document-intensive workflows are the primary stakeholders. Organizations with compliance requirements for data confidentiality should assess exposure, particularly those in regulated industries handling sensitive financial, healthcare, or personal data in Excel formats.
Technical summary
This vulnerability exists in Microsoft Excel and can result in information disclosure when a user opens a specially crafted file. The attack requires local access and user interaction, with the attacker able to read sensitive information from memory. The vulnerability stems from an out-of-bounds read condition (CWE-125) in Excel's file parsing components. Affected products span multiple Office versions and deployment architectures, including legacy Office 2013 SP1 through current Office LTSC 2021 and Microsoft 365 Apps Enterprise channels. The vulnerability does not affect integrity or availability, but the high confidentiality impact rating indicates significant potential for sensitive data exposure.
Defensive priority
medium
Recommended defensive actions
- Apply Microsoft security updates for affected Office and Microsoft 365 Apps installations as provided in the Microsoft Security Response Center guidance
- Prioritize patching systems where Excel files from untrusted sources are regularly processed
- Review and restrict macro execution policies and document opening behaviors for files originating from external sources
- Monitor for anomalous Excel process behavior that may indicate exploitation attempts
- Ensure Office installations are configured for automatic updates where organizational policy permits
Evidence notes
The vulnerability is classified as an information disclosure issue with CVSS vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating local attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, high confidentiality impact, and no integrity or availability impact. The weakness is associated with CWE-125 (Out-of-bounds Read) per Microsoft, though NVD lists it as NVD-CWE-noinfo.
Official resources
-
CVE-2023-33162 CVE record
CVE.org
-
CVE-2023-33162 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Microsoft disclosed this vulnerability through their Security Response Center on July 11, 2023, as part of their monthly security update release cycle. The CVE record was subsequently modified in May 2026, reflecting ongoing maintenance ofN