IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Actively exploited Windows vulnerability reaches peak severity when paired with popular attack

May 2022's routine Patch Tuesday fixes seven 'critical' issues, including a familiar headache for IT administrators

The severity of an actively exploited Windows security vulnerability rises to the highest severity rating if used by attackers in an NTLM relay attack.

The spoofing vulnerability in Windows Local Security Authority (LSA) subsystem, tracked as CVE-2022-26925, has a CVSSv3 severity rating of 7.1 on its own, but climbs to 9.8 if harnessed in tandem with an NTLM relay attack, Microsoft said.

NTLM relay attacks involve the exploitation of Microsoft’s NTLM authentication protocol, now in its thirtieth year and thus deeply embedded in enterprise networks, allowing attackers to sit in between clients and servers to intercept authentication requests to capture credentials and move around networks.

All supported versions of Windows are vulnerable to the attack and Microsoft said hackers are already finding ways to exploit it. Experts told IT Pro that it’s a bug that should worry every IT professional and one that could lead to remote code execution (RCE).

“While the advisory lists this as a CVSSv3 of 7.1 - the score jumps to a 9.8 when used as part of an NTLM attack,” said Kev Breen, director of cyber threat research at Immersive Labs. “While all servers are affected - domain controllers should be a priority for protection as, once exploited, this provides high-level access to privileges, often known as ‘the keys to the kingdom’.”

Microsoft has already published an article and a separate advisory for system administrators who are looking for more information on how to protect their environments from NTLM relay attacks. 

The Zero Day Initiative (ZDI) also noted that the patch affects some backup functionality on Windows Server 2008 SP2 so it’s worth reading the vulnerability’s documentation carefully to ensure backups continue to work as needed.

PrintSpooler continues to threaten

It’s nearly been a year since Microsoft’s bungled PrintNightmare fiasco first started affecting Windows machines and a further three vulnerabilities have been addressed in Print Spooler - the built-in Windows component in this month’s round of fixes.

Although Microsoft is not aware of any active exploitation, all three vulnerabilities are classified as ‘exploitation more likely’ and should be patched as soon as possible.

“Print Spooler shows that it remains an Achilles heel in enterprise security teams’ infrastructure with the trio of vulnerabilities CVE-2022-29104, CVE-2022-29114, and CVE-2022-29132,” said Breen. “An often forgotten, but still default, component on all Windows devices, servers, and desktops - Print Spooler still presents an attractive bullseye for attackers.”

Back to normality

May 2022’s Patch Tuesday fixed 74 different vulnerabilities, a figure that’s “par for the course in terms of both number and severity of vulnerabilities,” according to Greg Wiseman, lead product manager at Rapid7, and will theoretically require less patching work compared to last month’s 145 vulnerabilities.

A total of seven vulnerabilities were classified as ‘critical’ and three had near top severity ratings of 9.8/10.

Related Resource

The truth about cyber security training

Stop ticking boxes. Start delivering real change.

Pair of feet in socks with a chair and plant in the backgroundFree download

An RCE bug in Windows Network File System tracked as CVE-2022-26937, is among the three highest-rated flaws. “This can be mitigated by disabling NFSV2 and NFSV3 on the server; however, this may cause compatibility issues and upgrading is highly recommended,” said Wiseman.

A set of ten RCE issues in Windows Lightweight Directory Access Protocol (LDAP), two of which were rated 9.8/10 and comprised the final two highest-rated vulnerabilities in the list, are also cause for concern.

“With a headline score of 9.8, a set of 10 remote code execution vulnerabilities in LDAP appear particularly threatening, however, have been marked by Microsoft as ‘exploitation less likely’ as they require a default configuration unlikely to exist in most environments,” said Breen. “It’s not to say there is no need to patch these, rather a reminder that context is important when prioritising patches.”

Of the 74 total CVEs, seven were rated ‘critical’, 66 were rated ‘important’, and one was rated ‘low’. Windows administrators are advised to update as soon as possible and unlike with previous releases, the community has responded positively to this month's patches, so far.

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

Microsoft Azure spending notifications unavailable until March
Cloud

Microsoft Azure spending notifications unavailable until March

2 Feb 2023
Hackers target business cloud environments by abusing Microsoft’s ‘verified publisher’ status
Security

Hackers target business cloud environments by abusing Microsoft’s ‘verified publisher’ status

1 Feb 2023
Google to cut global workforce by 12,000 roles
Careers & training

Google to cut global workforce by 12,000 roles

20 Jan 2023
Windows 11 System Restore bug preventing users from accessing apps
Microsoft Windows

Windows 11 System Restore bug preventing users from accessing apps

19 Jan 2023

Most Popular

Warning issued over ransomware attacks targeting VMware ESXi servers globally
cyber attacks

Warning issued over ransomware attacks targeting VMware ESXi servers globally

6 Feb 2023
Yandex data breach reveals source code littered with racist language
data breaches

Yandex data breach reveals source code littered with racist language

30 Jan 2023
BT Group extends Kyndryl deal to migrate legacy mainframe apps to the cloud
Business strategy

BT Group extends Kyndryl deal to migrate legacy mainframe apps to the cloud

31 Jan 2023