IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Actively exploited Windows vulnerability reaches peak severity when paired with popular attack

May 2022's routine Patch Tuesday fixes seven 'critical' issues, including a familiar headache for IT administrators

The severity of an actively exploited Windows security vulnerability rises to the highest severity rating if used by attackers in an NTLM relay attack.

The spoofing vulnerability in Windows Local Security Authority (LSA) subsystem, tracked as CVE-2022-26925, has a CVSSv3 severity rating of 7.1 on its own, but climbs to 9.8 if harnessed in tandem with an NTLM relay attack, Microsoft said.

NTLM relay attacks involve the exploitation of Microsoft’s NTLM authentication protocol, now in its thirtieth year and thus deeply embedded in enterprise networks, allowing attackers to sit in between clients and servers to intercept authentication requests to capture credentials and move around networks.

All supported versions of Windows are vulnerable to the attack and Microsoft said hackers are already finding ways to exploit it. Experts told IT Pro that it’s a bug that should worry every IT professional and one that could lead to remote code execution (RCE).

“While the advisory lists this as a CVSSv3 of 7.1 - the score jumps to a 9.8 when used as part of an NTLM attack,” said Kev Breen, director of cyber threat research at Immersive Labs. “While all servers are affected - domain controllers should be a priority for protection as, once exploited, this provides high-level access to privileges, often known as ‘the keys to the kingdom’.”

Microsoft has already published an article and a separate advisory for system administrators who are looking for more information on how to protect their environments from NTLM relay attacks. 

The Zero Day Initiative (ZDI) also noted that the patch affects some backup functionality on Windows Server 2008 SP2 so it’s worth reading the vulnerability’s documentation carefully to ensure backups continue to work as needed.

PrintSpooler continues to threaten

It’s nearly been a year since Microsoft’s bungled PrintNightmare fiasco first started affecting Windows machines and a further three vulnerabilities have been addressed in Print Spooler - the built-in Windows component in this month’s round of fixes.

Although Microsoft is not aware of any active exploitation, all three vulnerabilities are classified as ‘exploitation more likely’ and should be patched as soon as possible.

“Print Spooler shows that it remains an Achilles heel in enterprise security teams’ infrastructure with the trio of vulnerabilities CVE-2022-29104, CVE-2022-29114, and CVE-2022-29132,” said Breen. “An often forgotten, but still default, component on all Windows devices, servers, and desktops - Print Spooler still presents an attractive bullseye for attackers.”

Back to normality

May 2022’s Patch Tuesday fixed 74 different vulnerabilities, a figure that’s “par for the course in terms of both number and severity of vulnerabilities,” according to Greg Wiseman, lead product manager at Rapid7, and will theoretically require less patching work compared to last month’s 145 vulnerabilities.

A total of seven vulnerabilities were classified as ‘critical’ and three had near top severity ratings of 9.8/10.

Related Resource

The truth about cyber security training

Stop ticking boxes. Start delivering real change.

Pair of feet in socks with a chair and plant in the backgroundFree download

An RCE bug in Windows Network File System tracked as CVE-2022-26937, is among the three highest-rated flaws. “This can be mitigated by disabling NFSV2 and NFSV3 on the server; however, this may cause compatibility issues and upgrading is highly recommended,” said Wiseman.

A set of ten RCE issues in Windows Lightweight Directory Access Protocol (LDAP), two of which were rated 9.8/10 and comprised the final two highest-rated vulnerabilities in the list, are also cause for concern.

“With a headline score of 9.8, a set of 10 remote code execution vulnerabilities in LDAP appear particularly threatening, however, have been marked by Microsoft as ‘exploitation less likely’ as they require a default configuration unlikely to exist in most environments,” said Breen. “It’s not to say there is no need to patch these, rather a reminder that context is important when prioritising patches.”

Of the 74 total CVEs, seven were rated ‘critical’, 66 were rated ‘important’, and one was rated ‘low’. Windows administrators are advised to update as soon as possible and unlike with previous releases, the community has responded positively to this month's patches, so far.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Microsoft launches low-code Power Pages for 'intuitive' web development
web development

Microsoft launches low-code Power Pages for 'intuitive' web development

24 May 2022
Windows 11's nifty new search feature has one major downside
Microsoft Windows

Windows 11's nifty new search feature has one major downside

23 May 2022
Microsoft says it's provided over $100 million in tech support to Ukrainian government
cyber attacks

Microsoft says it's provided over $100 million in tech support to Ukrainian government

20 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022