Actively exploited vulnerability in Windows

Time to update Windows! Microsoft has released patches for several dozen vulnerabilities, one of which cybercriminals are actively exploiting.

Time to update Windows! Microsoft released patches for several dozen of vulnerabilities, including CVE-2022-26925 that is being actively exploited by cybercriminals.

On the latest Patch Tuesday (May 10) Microsoft released updates for 74 vulnerabilities. At least one of them is already being actively exploited by attackers. Thus, it’s a good idea to install patches as soon as possible.

CVE-2022-26925 – the most dangerous of the addressed vulnerabilities

Apparently, the most dangerous vulnerability addressed in this update pack is CVE-2022-26925, which is contained in the Windows Local Security Authority. However, the vulnerability scores 8.1 on the CVSS scale, which is relatively low. Nevertheless, Microsoft representatives believe that when this vulnerability is used in NTLM Relay attacks on Active Directory Certificate Services, the severity level of this bundle rises to CVSS 9.8. The reason for the increased severity level is that in such a scenario CVE-2022-26925 could allow an attacker to authenticate on a domain controller.

The vulnerability can affect all Windows operating systems from Windows 7 (Windows Server 2008 for server systems) and later. Microsoft didn’t go into the details of the exploitation of this vulnerability; however, judging by the description of the problem, unknown attackers are already actively using exploits for CVE-2022-26925 in the wild. The good news is that, according to experts, exploiting this vulnerability in real attacks is quite difficult.

The fix detects and denies anonymous connection attempts to the Local Security Authority Remote Protocol. However, according to the official FAQ, installing this update on Windows Server 2008 SP2 may affect backup software.

Other vulnerabilities

In addition to CVE-2022-26925, the latest update fixes several other vulnerabilities with a “critical” severity level. Among them are the CVE-2022-26937 RCE vulnerability in the Windows Network File System (NFS), as well as CVE-2022-22012 and CVE-2022-29130 – two RCE vulnerabilities in the LDAP service.

Two other vulnerabilities were also already known to the public at the time the patches were published: CVE-2022-29972 – a bug in Insight Software’s Magnitude Simba Amazon Redshift driver, and CVE-2022-22713 – a DoS vulnerability in Windows Hyper-V. However, no attempts to exploit them have been detected to date.

How to stay protected

First and foremost, install the recent updates from Microsoft. If for some reason it’s impossible in your environment, refer to the FAQs, Mitigations, and Workarounds section of Microsoft’s official May 2022 Security Updates guide. Hopefully one of the methods described there can be used for protection from vulnerabilities that are relevant to your infrastructure.

For our part, we recommend protecting every device connected to the internet with a reliable solution that can detect exploitation of previously unknown vulnerabilities.