Dogwalk RCE variant among 121 vulnerabilities fixed in Microsoft's August Patch Tuesday
The second-biggest security update released by Microsoft this year featured 17 critical-rated RCEs and privilege escalation bugs
Microsoft has patched 17 ‘critical’ vulnerabilities and one remote code execution (RCE) zero-day in its August monthly Patch Tuesday.
A total of 121 vulnerabilities were patched in the Tuesday update, as well as 20 additional Chromium-based Microsoft Edge flaws on Friday 5 August.
Impacting Microsoft Windows Support Diagnostic Tool (MDST), the zero-day vulnerability (CVE-2022-34713) is among the most notable fixes this month and is a variant of the previously disclosed ‘Dogwalk’, Microsoft said.
Rated 7.8 on the CVSSv3 severity scale, it can be exploited by tricking a target into opening a malicious document via email phishing, or through an attacker-controlled website that hosts a malicious file.
Dogwalk drew major attention in May 2022 but dates back to an initial discovery in 2020. It was ‘lazily’ named by a security researcher who was walking his dog at the time of being asked to name it, he claimed.
The vulnerability itself is a path traversal flaw in MDST affecting Windows 7 devices or newer. To exploit it, targets have to become infected with a malicious .diagcab file which drops the payload into the Windows Startup folder and executed by Windows when the user next logs in, according to an analysis by SOC Prime.
A zero-day vulnerability is one that has been previously disclosed publicly and with active exploitation spotted. A separate RCE flaw in MDST (CVE-2022-35743) was also patched this month, but active exploitation has not been found and therefore cannot be considered a zero-day.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Microsoft categorised 17 of the now-patched vulnerabilities as ‘critical’ since they facilitated the elevation of privileges and RCE. Only three of the 121 total flaws were classified as ‘critical’ on the CVSSv3 severity scale - vulnerabilities with scores between 9.0 and 10.0.
All three of the most severe vulnerabilities were all RCEs with one affecting Windows Network File System (NFS) (CVE-2022-34715) and two separate flaws impacting the Windows Point-to-Point Protocol (PPP) (CVE-2022-30133 and CVE-2022-35744).
CVE-2022-34715 was classed as a low-complexity exploit by Microsoft and involves an attacker making an unauthenticated call to an NFS service (version 4.0) to trigger an RCE.
Although rated 9.8/10.0 on the CVSSv3 scale, Microsoft branded this vulnerability as ‘important’ - the second-highest severity rating because a target would be presented with a prompt or warning during the kill chain.
CVE-2022-30133 and CVE-2022-35744 were both rated 9.8/10.0 on the CVSSv3 scale and also classified as ‘critical’ by Microsoft since RCE could be achieved without any user intervention at all.
In both cases, an unauthenticated attacker could send a specially crafted connection request to a remote access server (RAS), Microsoft said, which could lead to RCE on the RAS server machine.
The remaining critical-rated vulnerabilities, as classified by Microsoft, all fell below the ‘critical’ threshold of the CVSSv3 scale but require no user intervention to exploit them.
The remaining flaws impacted the following: Active Directory Domain Services, Windows Secure Socket Tunneling Protocol, Windows Hyper-V, SMB Client and Server, and Microsoft Exchange Server.
The full list of fixed vulnerabilities can be found on Microsoft’s dedicated web page.
August’s Patch Tuesday marks the second-biggest round of updates in 2022, behind April’s which fixed 145 different flaws.
Early reports from system administrator communities are indicating that the updates are applying successfully and not impacting any wider components as Patch Tuesday updates have in the past.
Earlier this year, Windows Server admins collectively agreed to forgo a month of patches due to the security updates causing other services in their IT environments to break.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
ITPro is 20!We take a look back on the past two decades since ITPro launched...
-
Cyber experts issue alert after two ransomware groups team up on ‘unprecedented’ threat campaignNews The tie-up includes a new model of industrialized ransomware deployment that significantly lowers the barrier to entry for cyber crime
-
OpenAI expands 'Daybreak' cyber program: New tools, partnerships, and a cyber-focused GPT-5.5 aim to help 'patch the world'News The company has added new tools, signed up partners, and released its GPT-5.5-Cyber model more widely
-
AI is shrinking attack windows, and it’s forcing a complete rethink of cyber resilience – here’s how organizations can prepareNews Commvault has urged companies to improve their business continuity and resilience plans in the face of flaws spotted by AI
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Organizations hit by 90 zero-day vulnerabilities last yearNews Google Threat Intelligence researchers warn that edge devices and security appliances are prime entry points
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023