Known exploited, no patch: what to do in the weeks before a fix exists

Most vulnerability response assumes the sequence is: bug disclosed, patch available, deploy patch. CVE-2023-36884 broke that assumption in a way worth studying. When Microsoft disclosed it on July 11, 2023, it was already being exploited in the wild by a Russian threat group against government and defense targets, and there was no patch. The advisory shipped with mitigations only. For several weeks, until the August update, the entire defense was a set of workarounds. If your process has no answer for “known-exploited bug, no patch yet,” that gap is a real exposure, and it recurs more often than people expect.

What the bug is

CVE-2023-36884 was disclosed as an Office and Windows HTML remote code execution vulnerability, later associated with a Windows Search component and a Mark-of-the-Web evasion, CVSS 7.5, requiring user interaction. The attack: a victim opens a malicious Microsoft Word document, which pulls down content that, through an HTML/iframe chain, leads to execution of a payload. CISA added it to the Known Exploited Vulnerabilities catalog on July 17, 2023, with the ransomware flag.

Microsoft attributed the activity to Storm-0978, also known as RomCom, a Russia-based actor running both espionage and financially-motivated operations. The campaign used phishing documents themed around the Ukrainian World Congress and NATO-summit diplomacy to target defense and government organizations in Europe and North America, delivering the RomCom backdoor and, in some cases, ransomware. Exploitation predated disclosure. The point that matters operationally is the timeline: actively exploited on July 3 or earlier, disclosed July 11, patched in August. There was a multi-week window where the bug was real, weaponized, and unpatchable.

Mitigations aren’t a consolation prize

The instinctive reading of “no patch yet” is helplessness, wait for the fix. That’s wrong, and CVE-2023-36884 is a good teacher of why, because Microsoft’s interim mitigations were genuinely effective. They were:

• Block Office applications from creating child processes, via the Attack Surface Reduction (ASR) rule of the same name. The exploit chain relied on Office spawning a process; that rule breaks it.
• Set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry values for the Office applications, which Microsoft published specifically to block this exploitation path.

Either one closed the door during the no-patch window. So the lesson generalizes into a posture: when a known-exploited bug has no patch, the mitigations in the advisory are not a holding action while you wait for the real fix; for the duration of the window, they are the real fix. Treat them with the same urgency and rollout discipline you’d give a patch.

The corollary is that you should be able to deploy these things fast, before you need them:

• ASR rules are a standing capability worth having on already. The “block Office child processes” rule, and several others, defeat whole classes of document-based exploitation, not just this one. Organizations that already ran that ASR rule were protected by CVE-2023-36884 before they’d heard of it. Mitigations you can turn on in an hour are worth far more than ones you have to research under fire.
• Know how to push a registry change and an ASR configuration across the fleet quickly. The no-patch window is exactly when “we can deploy a setting to all endpoints today” pays off. If that’s a multi-week project in your environment, build the capability now.

What to do

• Patch CVE-2023-36884. The August 2023 update is the fix; if you somehow haven’t applied it, do. This is the permanent remediation.
• Turn on the ASR rule that blocks Office from spawning child processes, and keep it on. It mitigated this bug and continues to defeat a broad category of malicious-document attacks.
• Build a no-patch playbook. When a KEV entry has no patch, your standard motion should be: read the vendor mitigations, deploy them fleet-wide immediately, add detections for the exploitation pattern, and reduce exposure (here, that’s user-targeted phishing, so email filtering and document handling matter). Then patch when the fix lands.
• Treat document-delivered RCE as a phishing problem too. The exploit needed a user to open a crafted Word file. Email gateway controls, attachment detonation, and blocking risky document types are part of the defense, especially during the no-patch window.

The reframe is about completing your mental model of vulnerability response. The patch-deploy-done loop is the common case, not the only case, and the exceptions are disproportionately dangerous because they’re the bugs attackers chose to burn as zero-days against high-value targets. For those, the weeks before a patch exists are not dead time; they’re when mitigations carry the whole load. Storm-0978 was inside government networks with CVE-2023-36884 before Microsoft had a fix to ship, and the organizations that came through it were the ones that could act on a mitigation without waiting for a patch. We track the no-patch KEV entries with particular attention, because those are the ones where your interim controls, not your patch cadence, decide the outcome.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2023-36884 — 2023-07-11
• Microsoft MSRC: CVE-2023-36884 — 2023-07-11
• Unit 42: CVE-2023-36884 Microsoft Office and Windows HTML RCE threat brief — 2023-07
• Trend Micro: Security alert, MS Office and Windows HTML RCE (CVE-2023-36884) — 2023-07