Actively Exploited Zero Click RCE Vulnerabilities: CVE-2023-4863 and CVE-2023-5217


CVE-2023-4863 and CVE-2023-5217 are two critical zero-click remote code execution (RCE) vulnerabilities in common image rendering libraries used by all Chromium-based web browsers as well as many other popular mobile and desktop applications. Both share the same CVSS score of 8.8. More specifically, CVE-2023-4863 is a vulnerability in the libwebp library while CVE-2023-5217 is a vulnerability in the libvpx library.  Neither  CVE-2023-4863 or CVE-2023-5217 require user interaction and both are remote code execution (RCE) vulnerabilities that can be exploited when malicious content is supplied to any client application that uses the affected image processing libraries. In a typical attack a victim could simply visit a website that includes a malicious WebP image or otherwise these vulnerabilities may be used to target specific individuals directly via social media messages, phishing, or other social engineering techniques.

Both CVEs have been observed to be actively exploited in the wild and have been added to CISA’s Known Exploited Vulnerabilities Catalog. CVE-2023-4863 was first discovered and reported by Citizen Lab on September 9th, 2023.  Dubbed BLASTPASS, it was uncovered that the flaw was being actively used to infect devices with NSO Group’s infamous Pegasus spyware. Being actively exploited greatly increases the risk associated with these vulnerabilities and updates to all impacted should be given the highest priority.

Scope Of Impact

The scope of impact for CVE-2023-4863 and CVE-2023-5217 includes any applications or other resources that rely on libwebp (for WebM video format) or libvpx (for WebP image for image). Both CVEs are client-side vulnerabilities, meaning that the end user of an affected application (such as a malicious website) is at risk of being exploited. The use of the WebP and WebM formats is not unique to Chrome or even web browsers but is incorporated in many other applications across all major OS platforms including Windows, macOS, and Linux, so the use of libwebp and libvpx are widespread throughout the digital media ecosystem.

Examples of technologies that are confirmed to be impacted include:

A Complete Attack Trajectory and Associated ATT&CK TTP

These two vulnerabilities have all the prerequisites to be classified as high severity.  They are considered “zero-click” meaning that an attacker does not need to use sophisticated social engineering techniques to exploit them.  These flaws can be exploited when a victim simply visits a website that hosts an infected WebP resource, making a watering hole attack a very viable infection path.  However, individuals may be targeted with social engineering contexts enticing them to open malicious links or files.

MITRE ATT&CK TTP of the exploit chain are:

  • Drive-By Compromise [T1189]: Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Unlike Exploit Public-Facing Application [T1190], the focus of this technique is to exploit software on a client endpoint upon visiting a website.
  • Shared Modules [T1203]: Adversaries may execute malicious payloads via loading shared modules.
  • Exploitation for Client Execution [T1203]: Adversaries may exploit software vulnerabilities in client applications to execute code.
  • Command and Control [TA0011]: Attackers control a system within a victim network to remotely execute arbitrary commands, import additional malware tools, and avoid detection.

MITRE Common Weakness Enumeration (CWE) references include:

  • Out-of-bounds Write [CWE-787]: Writing data past the end, or before the beginning, of the intended memory buffer.
  • Stack-based Buffer Overflow [CWE-121]: A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack.
  • Heap-based Buffer Overflow [CWE-122]: A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory.

After initial infection, the attack trajectory depends on the nature of the attacker-supplied code that is executed. Initially attackers will leverage the run-time permission context of the exploited application to download and install a second-stage malware payload with more advanced capabilities and to establish remote command and control (C2).  If the attacker successfully gains C2, they will seek to establish persistence, meaning their malware will be loaded every time the infected system reboots, and attempt to escalate privileges, enumerate the local network, move laterally to higher value targets, and execute on objectives.

The final stage objectives also heavily depends on the particular goals of the threat actor but typically may include stealing sensitive data [TA0010] such as account credentials [TA0006] to be cracked offline [T1110.002] and subsequently used for account takeover, importing and executing ransomware [T1486] and demanding payment for a decryptor, or installing a rootkit [TA1014] for the purpose of maintaining persistent [TA0003] and covert spyware.

What is VP8 encoding?

VP8 is a video codec developed as an open and royalty-free alternative to proprietary codecs like H.264. The Internet Engineering Task Force (IETF) published the VP8 Data Format and Decoding Guide as RFC 6386 in November 2011. The protocol itself was developed by On2 Technologies. Google acquired On2 Technologies in February 2010, and later open-sourced VP8 as part of the WebM project. The VP8 video codec is widely used for web video, real-time communication (WebRTC), and various other applications. The libvpx library is a cross-platform, open-source software library that provides an implementation of VP8 and VP9 video codecs.


CVE-2023-4863 and CVE-2023-5217 are actively exploited client-side, zero-click, remote code execution (RCE) vulnerabilities in widely-used image rendering libraries. Rated with CVSS 8.8 critical severity, they impact all Chromium-based web browsers and numerous desktop and mobile applications. As of October 27th, 2023, security updates are currently at various stages of being prepared.

CVE-2023-4863 resides in the libwebp library, while CVE-2023-5217 is linked to libvpx and they allow attackers to achieve zero-click RCE by providing malicious WebM formatted video or WebP formatted image content to a vulnerable application on a victim’s device.

Victims may encounter these threats by visiting compromised websites or opening other malicious content such as images or videos Security teams should assess their organization’s degree of exposure to CVE-2023-4863 and CVE-2023-5217 and apply updates as soon as they become available.