Main Vulnerability Database Vulnerabilities #VU14407

Security restrictions bypass in Windows and Windows Server - CVE-2018-8253

Published: August 14, 2018 / Updated: August 14, 2018

Vulnerability identifier: #VU14407

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-8253

CWE-ID: CWE-264

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Microsoft

Affected software:
Windows
Windows Server

Detailed vulnerability description

The vulnerability allows a local attacker to bypass lockscreen.

The vulnerability exists within Microsoft Cortana code that allows arbitrary website browsing on the lockscreen. A user with physical access to device can access vimctim's browser and steal browser stored passwords or log on to websites as another user.

Successful exploitation of the vulnerability requires access to the console and the system must have Microsoft Cortana assistance enabled.

How to mitigate CVE-2018-8253

Install updates from vendor's website.

Sources

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8253

Security restrictions bypass in Windows and Windows Server - CVE-2018-8253

Detailed vulnerability description

How to mitigate CVE-2018-8253

Sources

Please verify you're human