IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Actively exploited Windows vulnerability reaches peak severity when paired with popular attack

May 2022's routine Patch Tuesday fixes seven 'critical' issues, including a familiar headache for IT administrators

The severity of an actively exploited Windows security vulnerability rises to the highest severity rating if used by attackers in an NTLM relay attack.

The spoofing vulnerability in Windows Local Security Authority (LSA) subsystem, tracked as CVE-2022-26925, has a CVSSv3 severity rating of 7.1 on its own, but climbs to 9.8 if harnessed in tandem with an NTLM relay attack, Microsoft said.

NTLM relay attacks involve the exploitation of Microsoft’s NTLM authentication protocol, now in its thirtieth year and thus deeply embedded in enterprise networks, allowing attackers to sit in between clients and servers to intercept authentication requests to capture credentials and move around networks.

All supported versions of Windows are vulnerable to the attack and Microsoft said hackers are already finding ways to exploit it. Experts told IT Pro that it’s a bug that should worry every IT professional and one that could lead to remote code execution (RCE).

“While the advisory lists this as a CVSSv3 of 7.1 - the score jumps to a 9.8 when used as part of an NTLM attack,” said Kev Breen, director of cyber threat research at Immersive Labs. “While all servers are affected - domain controllers should be a priority for protection as, once exploited, this provides high-level access to privileges, often known as ‘the keys to the kingdom’.”

Microsoft has already published an article and a separate advisory for system administrators who are looking for more information on how to protect their environments from NTLM relay attacks. 

The Zero Day Initiative (ZDI) also noted that the patch affects some backup functionality on Windows Server 2008 SP2 so it’s worth reading the vulnerability’s documentation carefully to ensure backups continue to work as needed.

PrintSpooler continues to threaten

It’s nearly been a year since Microsoft’s bungled PrintNightmare fiasco first started affecting Windows machines and a further three vulnerabilities have been addressed in Print Spooler - the built-in Windows component in this month’s round of fixes.

Although Microsoft is not aware of any active exploitation, all three vulnerabilities are classified as ‘exploitation more likely’ and should be patched as soon as possible.

“Print Spooler shows that it remains an Achilles heel in enterprise security teams’ infrastructure with the trio of vulnerabilities CVE-2022-29104, CVE-2022-29114, and CVE-2022-29132,” said Breen. “An often forgotten, but still default, component on all Windows devices, servers, and desktops - Print Spooler still presents an attractive bullseye for attackers.”

Back to normality

May 2022’s Patch Tuesday fixed 74 different vulnerabilities, a figure that’s “par for the course in terms of both number and severity of vulnerabilities,” according to Greg Wiseman, lead product manager at Rapid7, and will theoretically require less patching work compared to last month’s 145 vulnerabilities.

A total of seven vulnerabilities were classified as ‘critical’ and three had near top severity ratings of 9.8/10.

Related Resource

The truth about cyber security training

Stop ticking boxes. Start delivering real change.

Pair of feet in socks with a chair and plant in the backgroundFree download

An RCE bug in Windows Network File System tracked as CVE-2022-26937, is among the three highest-rated flaws. “This can be mitigated by disabling NFSV2 and NFSV3 on the server; however, this may cause compatibility issues and upgrading is highly recommended,” said Wiseman.

A set of ten RCE issues in Windows Lightweight Directory Access Protocol (LDAP), two of which were rated 9.8/10 and comprised the final two highest-rated vulnerabilities in the list, are also cause for concern.

“With a headline score of 9.8, a set of 10 remote code execution vulnerabilities in LDAP appear particularly threatening, however, have been marked by Microsoft as ‘exploitation less likely’ as they require a default configuration unlikely to exist in most environments,” said Breen. “It’s not to say there is no need to patch these, rather a reminder that context is important when prioritising patches.”

Of the 74 total CVEs, seven were rated ‘critical’, 66 were rated ‘important’, and one was rated ‘low’. Windows administrators are advised to update as soon as possible and unlike with previous releases, the community has responded positively to this month's patches, so far.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Microsoft blocking Tutanota users from Teams registration, claims fix unfeasible
Business operations

Microsoft blocking Tutanota users from Teams registration, claims fix unfeasible

8 Aug 2022
Microsoft wins five-year digital transformation deal with Australia’s largest telco
digital transformation

Microsoft wins five-year digital transformation deal with Australia’s largest telco

26 Jul 2022
Slack Connect vs Microsoft Teams Connect: Better than email?
collaboration

Slack Connect vs Microsoft Teams Connect: Better than email?

20 Jul 2022
Microsoft announces simulator for autonomous aircraft development
Cloud

Microsoft announces simulator for autonomous aircraft development

20 Jul 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Electrical explosion reported at Google's Iowa data centre
data centres

Electrical explosion reported at Google's Iowa data centre

9 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022