Actively exploited Windows vulnerability reaches peak severity when paired with popular attack

Windows 11 and Windows 11 displayed on two different laptops
(Image credit: Getty Images)

The severity of an actively exploited Windows security vulnerability rises to the highest severity rating if used by attackers in an NTLM relay attack.

The spoofing vulnerability in Windows Local Security Authority (LSA) subsystem, tracked as CVE-2022-26925, has a CVSSv3 severity rating of 7.1 on its own, but climbs to 9.8 if harnessed in tandem with an NTLM relay attack, Microsoft said.

NTLM relay attacks involve the exploitation of Microsoft’s NTLM authentication protocol, now in its thirtieth year and thus deeply embedded in enterprise networks, allowing attackers to sit in between clients and servers to intercept authentication requests to capture credentials and move around networks.

All supported versions of Windows are vulnerable to the attack and Microsoft said hackers are already finding ways to exploit it. Experts told IT Pro that it’s a bug that should worry every IT professional and one that could lead to remote code execution (RCE).

“While the advisory lists this as a CVSSv3 of 7.1 - the score jumps to a 9.8 when used as part of an NTLM attack,” said Kev Breen, director of cyber threat research at Immersive Labs. “While all servers are affected - domain controllers should be a priority for protection as, once exploited, this provides high-level access to privileges, often known as ‘the keys to the kingdom’.”

Microsoft has already published an article and a separate advisory for system administrators who are looking for more information on how to protect their environments from NTLM relay attacks.

The Zero Day Initiative (ZDI) also noted that the patch affects some backup functionality on Windows Server 2008 SP2 so it’s worth reading the vulnerability’s documentation carefully to ensure backups continue to work as needed.

PrintSpooler continues to threaten

It’s nearly been a year since Microsoft’s bungled PrintNightmare fiasco first started affecting Windows machines and a further three vulnerabilities have been addressed in Print Spooler - the built-in Windows component in this month’s round of fixes.

Although Microsoft is not aware of any active exploitation, all three vulnerabilities are classified as ‘exploitation more likely’ and should be patched as soon as possible.

“Print Spooler shows that it remains an Achilles heel in enterprise security teams’ infrastructure with the trio of vulnerabilities CVE-2022-29104, CVE-2022-29114, and CVE-2022-29132,” said Breen. “An often forgotten, but still default, component on all Windows devices, servers, and desktops - Print Spooler still presents an attractive bullseye for attackers.”

Back to normality

May 2022’s Patch Tuesday fixed 74 different vulnerabilities, a figure that’s “par for the course in terms of both number and severity of vulnerabilities,” according to Greg Wiseman, lead product manager at Rapid7, and will theoretically require less patching work compared to last month’s 145 vulnerabilities.

A total of seven vulnerabilities were classified as ‘critical’ and three had near top severity ratings of 9.8/10.


The truth about cyber security training

Stop ticking boxes. Start delivering real change.


An RCE bug in Windows Network File System tracked as CVE-2022-26937, is among the three highest-rated flaws. “This can be mitigated by disabling NFSV2 and NFSV3 on the server; however, this may cause compatibility issues and upgrading is highly recommended,” said Wiseman.

A set of ten RCE issues in Windows Lightweight Directory Access Protocol (LDAP), two of which were rated 9.8/10 and comprised the final two highest-rated vulnerabilities in the list, are also cause for concern.

“With a headline score of 9.8, a set of 10 remote code execution vulnerabilities in LDAP appear particularly threatening, however, have been marked by Microsoft as ‘exploitation less likely’ as they require a default configuration unlikely to exist in most environments,” said Breen. “It’s not to say there is no need to patch these, rather a reminder that context is important when prioritising patches.”

Of the 74 total CVEs, seven were rated ‘critical’, 66 were rated ‘important’, and one was rated ‘low’. Windows administrators are advised to update as soon as possible and unlike with previous releases, the community has responded positively to this month's patches, so far.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.