On January 11, 2022, Microsoft released patches for critical and important remote code execution (RCE) vulnerabilities that could be appealing to threat actors. There are no reports of active exploitation as of this publication, but Microsoft labeled them as “exploitation more likely.”
HTTP protocol stack vulnerability CVE-2022-21907 impacts multiple Windows versions. The vulnerability affects http.sys, which is a Windows web server implementation that runs in kernel mode. Microsoft describes the vulnerability as “wormable,” meaning that it could be remotely exploited and enable malicious code to spread from one host to another without user interaction.
CVE-2022-21846, CVE-2022-21855, and CVE-2022-21969 could allow threat actors to take control of Exchange servers. These vulnerabilities impact Exchange Server 2013, 2016, and 2019. Threat actors must have an existing foothold in an environment to exploit these vulnerabilities.
Customers should review the Microsoft guidance listed in the References section and apply patches and mitigations as appropriate in their environments.
If you have any questions or concerns about this advisory, please contact us via our support desk – email@example.com
- CVE-2022-21907 – Security Update Guide – Microsoft – HTTP Protocol Stack Remote Code Execution Vulnerability
- CVE-2022-21846 – Security Update Guide – Microsoft – Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2022-21855 – Security Update Guide – Microsoft – Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2022-21969 – Security Update Guide – Microsoft – Microsoft Exchange Server Remote Code Execution Vulnerability
- Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: January 11, 2022 (KB5008631)
- Microsoft January 2022 Patch Tuesday fixes 6 zero-days, 97 flaws (bleepingcomputer.com)
- Microsoft fixes wormable RCE in Windows Server and Windows (CVE-2022-21907) – Help Net Security
- ASB-2022.0005 (auscert.org.au)
- Microsoft Faces Wormable, Critical RCE Bug & 6 Zero-Days | Threatpost
- A Quick CVE-2022-21907 FAQ (sans.edu)