Microsoft has issued fixes for three zero-day vulnerabilities, including one being actively exploited in the wild, as part of its May monthly update round.
Publicly disclosed flaw CVE-2022-26925 is a spoofing vulnerability in Windows LSA marked as “exploitation detected.”
“The vulnerability by itself is only rated as important by Microsoft, has a CVSS v3.1 score of 8.1, and the exploit code maturity is listed as unproven, but dig a bit deeper and the vulnerability is much more threatening,” argued Ivanti VP of product management, Chris Goettl.
“The vulnerability has been detected in attacks, so while code samples available publicly may be unproven there are working exploits being used.”
He added that, when combined with NTLM relay attacks on Active Directory Certificate Services, the bug gets a combined CVSS score of 9.8. That’s why Microsoft is urging firms to patch all domain controllers as soon as possible.
The other two publicly disclosed flaws fixed this month have not yet been detected as exploited in the wild, although that may soon change.
CVE-2022-29972 is a critical remote code execution (RCE) vulnerability in Insight Software’s Magnitude Simba Amazon Redshift ODBC Driver. It will probably need to be patched by organizations’ cloud providers, according to Recorded Future senior security architect Allan Liska.
The final zero-day is CVE-2022-22713, a denial of service vulnerability in Hyper-V.
“This vulnerability appears to be limited to Windows 10 on X64-based systems and Windows Server 2019,” said Liska.
“Microsoft rates this vulnerability as Important with a CVSS score of 5.6 and deems it ‘Exploitation Less Likely.’ That being said, because it is publicly disclosed those organizations reliant on Hyper-V for remote connectivity and management should prioritize patching.”
If users have the MaxReceiveBuffer LDAP policy set to a value higher than the default, they should prioritize patching, he said.