Three critical vulnerabilities and one zero-day feature in Microsoft's September Patch Tuesday
Several issues in the monthly update require 'urgent' attention but September's Patch Tuesday only brings around half the fixes that came in August


Microsoft has released 79 total patches as part of its monthly Patch Tuesday update, addressing three critical-rated vulnerabilities and one actively exploited zero-day.
The update delivers markedly fewer updates compared to last month’s which saw 141 flaws fixed, including 17 critical-rated vulnerabilities - the second round of updates of the year.
The updates consisted of 64 CVEs affecting Microsoft products and an additional 15 tracked issues impacting the Chromium-based Microsoft Edge browser.
Of the three critical-rated vulnerabilities - those with a severity score of 9.0 or higher on the CVSS v3 scale - the standout flaw impacted systems running the IPsec protocol which encrypts all internet protocol packets in a communication session.
The remote code execution (RCE) vulnerability was marked by Microsoft as “more likely” to be exploited and could allow an unauthenticated attacker to send a specially crafted IPv6 packet to an IPsec-enabled Windows node to achieve code execution.
There is no indication that it has been exploited in the wild but with the attack complexity being thought of as ‘low’ and there being no need for any authentication at all, it is considered one of the most serious issues for IT admins to address urgently.
Tracked as CVE-2022-34718, the Zero Day Initiative (ZDI) said: “This critical-rated bug could allow a remote, unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“That officially puts it into the ‘wormable’ category and earns it a CVSS rating of 9.8. However, only systems with IPv6 enabled and IPsec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly.”
Both of the remaining two critical-rated vulnerabilities, both rated 9.8/10 and tracked as CVE-2022-34721 and CVE-2022-34722 respectively, impact the Windows Internet Key exchange (IKE) and can facilitate RCE.
Similar to the “exploitation more likely” CVE-2022-34718, the two other serious flaws can be carried out remotely and require no privileges in order to exploit.
“The IKE protocol is a component of IPsec used to set up security associations - relationships among devices based on shared security attributes,” said Tenable’s Security Response Team in a blog.
“These vulnerabilities would allow an unauthenticated, remote attacker to send a specially crafted IP packet to a target with IPsec enabled and achieve remote code execution. IPsec is used to protect sensitive data and is commonly used in virtual private networks.”
RELATED RESOURCE
Storage's role in addressing the challenges of ensuring cyber resilience
Understanding the role of data storage in cyber resiliency
The single actively-exploited zero-day (CVE-2022-37969) impacted a Windows Common Log File System driver and could be used by an attacker to elevate their privileges to SYSTEM level.
It received a lower-severity score of 7.8/10 on the CVSS v3 scale due to the attacker already needing to have local access to the target’s machine.
This level of code-execution access could be gained either by having their hands on the device’s keyboard (physical access) or remotely through techniques such as exploitation of another vulnerability or having remote access via remote desktop protocol (RDP), for example.
“Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link,” said the ZDI. “Once they do, additional code executes with elevated privileges to take over a system.
“Usually, we get little information on how widespread an exploit may be used. However, Microsoft credits four different agencies reporting this bug, so it’s likely beyond just targeted attacks.”
The full list of vulnerabilities patched by Microsoft in September’s Patch Tuesday can be found on its dashboard.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly
-
Hackers are targeting Ivanti VPN users again – here’s what you need to know
News Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
By Emma Woollacott
-
Broadcom issues urgent alert over three VMware zero-days
News The firm says it has information to suggest all three are being exploited in the wild
By Solomon Klappholz
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claim
News Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
By Solomon Klappholz
-
Everything you need to know about the Microsoft Power Pages vulnerability
News A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
By Solomon Klappholz
-
Vulnerability management complexity is leaving enterprises at serious risk
News Fragmented data and siloed processes mean remediation is taking too long
By Emma Woollacott
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to know
News Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
By Solomon Klappholz
-
Researchers claim an AMD security flaw could let hackers access encrypted data
News Using only a $10 test rig, researchers were able to pull off the badRAM attack
By Solomon Klappholz
-
A journey to cyber resilience
whitepaper DORA: Ushering in a new era of cyber security
By ITPro