CVE 2023-21716- Microsoft Word RCE

Posted by: Zur Ulianitzky & David Azria & Bill Ben Haim
March 07, 2023


On March 5, a security researcher named Joshua J.Drake shared details about CVE-2023-21716, a Microsoft Word vulnerability that was patched during February 2023 Patch Tuesday. Microsoft rated this vulnerability with CVSS score 9.8

A successful exploitation requires the attacker to craft a malicious RTF file, share it with the victim via email attachment, shared folders or other sharing methods. When the victim opens the file the vulnerability is triggered which allows the attacker to execute code on the victim’s machine.

Is there a risk?

As revealed in our annual Attack Path Management Impact report, 78% of businesses can potentially be compromised whenever a new RCE (Remote Code Execution) technique is found. The new emerging zero day demonstrates why it is so important to harden and improve the security posture of your organization. XM Cyber can help customers understand the hidden attack paths from any possible RCE to business critical assets. 

Given the widespread use of Microsoft Office products, the RCE vulnerability which allows attackers to execute code on the target systems could potentially cause significant harm to any organization.

Microsoft so far has released a patch with a possible workaround.

Who is affected?

Microsoft listed a long list of vulnerable products starting from Word 2013

What should you do?

Firstly, Microsoft has released a patch to fix the vulnerability. If you are using any of the affected products listed in the Microsoft advisory, go and patch immediately.

In case, it’s currently not possible to patch the office version, you can do the following workarounds to prevent this vulnerability from being executed or triggered on your machines.

  • As a possible workaround, Microsoft suggests preventing Office from opening RTF documents from unknown or untrusted sources.

You can do this by setting the following registry keys:

  • Run regedit.exe as Administrator and navigate to the following subkey:
    `[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock]` or `[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\FileBlock]`
  • Set the RtfFiles DWORD value to 2.
  • Set the OpenInProtectedView DWORD value to 0.
  • Microsoft approved the Preview Pane as a valid attack vector. Which means, victims that opened a folder containing an RTF file could also be affected. Therefore, disabling the Preview Pane is also actionable advice that might reduce the risk.
    You can do this by using Group Policy:

    • Open the Group Policy Editor.
    • Navigate to User Configuration > Administrative Templates > Windows Components > File Explorer > Explorer Frame Pane.
    • Open the **Turn off Preview Pane** setting.
    • Select the **Enabled** button.

Identifying CVE-2023-21716 with XM Cyber

XM Cyber customers can use the Vulnerability Management module in order to identify vulnerable devices. The Vulnerability Management identifies the vulnerability based on word version. 

If you are an existing customer and not subscribed to the VM module and wants to identify the vulnerability – please approach your Customer Success Manager or Account Manager.


XM Cyber Research are working on adding CVE-2023-21716 to XM Attack Path Managemnet module, to identify the vulnerability in attack paths.

Similar to other vulnerabilities, organizations lack context and visibility of which machines are at risk and which users could be exploited, which makes it very hard to know what to tackle first and how.

The XM Cyber Research team is continuously analyzing the impact of the new zero day vulnerability. As this situation is moving fast we will continue to analyze the Continuous Exposure Management  platform and provide best practices and prioritized remediation guidance when available in this blog.


The XM Cyber Research team will continue updating this blog advisory as more details emerge and a relevant patch is provided.





Zur Ulianitzky & David Azria & Bill Ben Haim

Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.