On the first Patch Tuesday of 2023, Microsoft fixed a whopping total of 98 flaws. Among them is a publicly disclosed SMB Witness Service zero-day CVE-2023-21549, and an actively exploited EoP vulnerability tracked under CVE-2023-21674. With active exploitation witnessed in the wild, the latter commands special consideration.
Discovered by Avast malware researchers Jan Vojtěšek, Milánek, and Przemek Gmerek, we’ll dissect how it operates, and what you should do to protect your network against this ALPC vulnerability.
What is an ALPC?
An Advanced Local Procedure Call (ALPC) is an inter-process communication component. It is the mechanism in which Windows depends on to facilitate messages from one process to another on the same host. It is an integral part of local remote procedure calls (RPC), Winlogon, LSASS, and more.
While the low-level details of this attack have not been disclosed, we do know that a successful exploit requires an attacker to have accomplished an initial infection on its target. The flaw is then chained to a bug present in Chromium-based web browsers to break out of the sandbox and gain SYSTEM level privileges. The full exploit chain is currently unknown.
“It allows a local attacker to escalate privileges from sandboxed execution inside Chromium to kernel-level execution and full SYSTEM privileges. Bugs of this type are often paired with some form of code exaction to deliver malware or ransomware. Considering this was reported to Microsoft by researchers from Avast, that scenario seems likely here.”
Dustin Childs
Trend Micro

Given the popularity of Chromium browsers, this risk affects millions of organizations; paving the way for ransomware, data theft, and other forms of malware. Luckily, modern browsers have auto-update functionality, which mitigates one part of this threat, as explained by security researcher Satnam Narang. With that said, make sure you restart your browsers regularly for these updates to take effect.
“The likelihood of future widespread exploitation of an exploit chain like this is limited due to auto-update functionality used to patch browsers.”
Satnam Narang
Tenable
Versions affected
- Windows 8
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
What to do about CVE-2023-21674
Make sure your Chromium-based browsers (Google Chrome, Microsoft Edge, and Brave) are up to date.
Install the latest Windows update for your system. It is available through the following channels:
- Windows Update
- Microsoft Update Catalog
- Windows Server Update Services (WSUS)