CVE-2023-41763: 
vulnerability analysis and mitigation

Skype for Business Elevation of Privilege Vulnerability (CVE-2023-41763) was discovered and disclosed on October 10, 2023. The vulnerability affects Microsoft Skype for Business Server 2015 (Cumulative Update 13) and Skype for Business Server 2019 (Cumulative Update 7). This security flaw was actively exploited in the wild before patches were released (Help Net Security).

The vulnerability allows an attacker to make specially crafted network calls to the target Skype for Business server, which could trigger the parsing of an HTTP request made to an arbitrary address. The vulnerability is classified as an elevation of privilege vulnerability with a CVSS v3.1 base score of 5.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The flaw is categorized as CWE-918 (Server-Side Request Forgery) (NVD).

When successfully exploited, the vulnerability could expose sensitive information that might provide access to internal networks. The attack could result in the attacker gleaning IP addresses and/or port numbers from the target system (Help Net Security).

Microsoft has released security updates to address this vulnerability. Organizations running Skype for Business Server 2015 or 2019 should apply the security update KB5032429. The patch is available through Microsoft's standard update channels (Microsoft Support).