{"id":4513,"date":"2022-04-15T14:00:20","date_gmt":"2022-04-15T14:00:20","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=4513"},"modified":"2026-06-08T14:54:12","modified_gmt":"2026-06-08T14:54:12","slug":"microsoft-rce-april-2022-patches","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/microsoft-rce-april-2022-patches\/","title":{"rendered":"Microsoft RCE \u2014 April 2022 patches"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">As is customary on the second Tuesday of every month, Microsoft has released its set of security updates for its operating systems and products.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This month <strong>117 patches<\/strong> were issued, covering 117 distinct vulnerabilities. Of these:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>2<\/strong> are already being exploited in the wild in active attacks (Privilege Escalation):\n<ul class=\"wp-block-list\">\n<li><code>CVE-2022-24521<\/code><\/li>\n\n\n\n<li><code>CVE-2022-26904<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>3<\/strong> are <strong>Remote Command Execution<\/strong> in <strong>NFS<\/strong> and <strong>RPC<\/strong>:\n<ul class=\"wp-block-list\">\n<li><code>CVE-2022-26809<\/code> \u2014 RPC service (TCP port 135)<\/li>\n\n\n\n<li><code>CVE-2022-24491<\/code> and <code>CVE-2022-24497<\/code> \u2014 NFS service (port 2049)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>18<\/strong> affect <strong>Windows DNS Server<\/strong>, the most critical being <code>CVE-2022-26815<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-center\" id=\"h-cyber-attack-exposure\">Cyber Attack Exposure<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-public-network-exposure\">Public-Network Exposure<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Although <strong>RPC<\/strong> is generally not a service intended for public-network exposure, in practice a significant number of Italian organisations are exposed (<strong>approximately 7 000<\/strong> systems):<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"783\" height=\"789\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/04\/image-2.png\" alt=\"\" class=\"wp-image-4536\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/image-2.png 783w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/image-2-298x300.png 298w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/image-2-150x150.png 150w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/image-2-768x774.png 768w\" sizes=\"(max-width: 783px) 100vw, 783px\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\">Microsoft servers exposed to the RPC vulnerability<\/figcaption><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"326\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/04\/image-1-1024x326.png\" alt=\"\" class=\"wp-image-4533\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/image-1-1024x326.png 1024w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/image-1-300x96.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/image-1-768x245.png 768w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/image-1.png 1061w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\">Microsoft RPC service \u2014 Top 10 cities<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Globally, the population of potentially-affected systems is approximately <strong>2 000 000<\/strong>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"427\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/04\/image-3-1024x427.png\" alt=\"\" class=\"wp-image-4537\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/image-3-1024x427.png 1024w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/image-3-300x125.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/image-3-768x320.png 768w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/image-3-1536x641.png 1536w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/image-3.png 1920w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<div style=\"height:42px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-center\" id=\"h-internal-network-risks\">Internal-Network Risks<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The CVEs below are among the most critical weaponisable items in this release \u2014 they provide privilege escalation, administrative takeover, lateral movement, and arbitrary code execution primitives. Closing this exposure window cleanly across a heterogeneous Windows estate is the kind of structured patch and posture programme delivered by our <a href=\"https:\/\/fortgale.com\/en\/cybersecurity-advisory\/\">Cybersecurity Advisory<\/a>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><code>CVE-2022-24521<\/code><\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">The flaw resides in the Windows <strong>Common Log File System (CLFS)<\/strong> driver and requires no user interaction to exploit. Attackers \u2014 or malicious software running with low privileges \u2014 can leverage it to obtain administrative rights on the affected host (<code>T1068<\/code> \u2014 Exploitation for Privilege Escalation). It affects multiple Windows versions, including Windows 11.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><code>CVE-2022-26904<\/code><\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">This vulnerability has high attack complexity because exploitation depends on winning a <em>race condition<\/em>. A working <strong>Metasploit module<\/strong> is publicly available and successfully exploits the flaw \u2014 confidence high.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><code>CVE-2022-26809<\/code><\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Allows an attacker to execute code with elevated privileges on the victim system. Because no user interaction is required, the combination of factors makes this vulnerability <strong><em>wormable<\/em><\/strong> \u2014 at least between target hosts where the RPC endpoint is reachable. The static port involved (TCP 135) is generally blocked at the perimeter, but <strong>this CVE is the primary lateral-movement primitive of the April release<\/strong> for any attacker already inside the corporate network (<code>T1210<\/code> \u2014 Exploitation of Remote Services).<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><code>CVE-2022-24491<\/code><\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Technical details are not public and no working exploit is yet available. A bounty between <strong>25 000 and 100 000 USD<\/strong> has been announced for a reliable exploit \u2014 confidence: indicator preliminary, public weaponisation expected.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-security-updates\">Security Updates<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Below is the list of relevant updates required to remediate the 117 vulnerabilities released this month:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Microsoft Windows Server 2012 R2 (9600) \u2014 Monthly Rollup <code>KB5012670<\/code><\/li>\n\n\n\n<li>Microsoft Windows Server 2012 (9200) \u2014 <code>KB5012666<\/code><\/li>\n\n\n\n<li>Microsoft Windows Server 2022 (20348) \u2014 Security Update <code>KB5012604<\/code><\/li>\n\n\n\n<li>Microsoft Windows Server 2019 (17763) \u2014 Security Update <code>KB5012647<\/code><\/li>\n\n\n\n<li>Microsoft Windows Server 2008 R2 (7601) \u2014 Monthly Rollup <code>KB5012626<\/code><\/li>\n\n\n\n<li>Microsoft Windows Server 2016 (14393) \u2014 Security Update <code>KB5012596<\/code><\/li>\n\n\n\n<li>Microsoft Windows 10 \u2014 <code>KB5012599<\/code>, <code>KB5012591<\/code>, <code>KB5012647<\/code><\/li>\n\n\n\n<li>Microsoft Windows 7 (7601) \u2014 Monthly Rollup <code>KB5012626<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Three RCE CVEs in the same release on services historically reachable inside the corporate perimeter \u2014 RPC and NFS \u2014 define the patch window: any host left unpatched on an internal network becomes a wormable lateral-movement primitive within hours of public exploit availability.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Come ogni secondo Marted\u00ec del mese, Microsoft ha rilasciato una serie di aggiornamenti (patch) di sicurezza per i propri sistemi operativi.<\/p>\n<p>In questo mese sono state rilasciate 117 patch per altrettante vulnerabilit\u00e0, di queste:<\/p>\n","protected":false},"author":1,"featured_media":4536,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[1501],"class_list":["post-4513","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-rpc-it"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4513","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=4513"}],"version-history":[{"count":17,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4513\/revisions"}],"predecessor-version":[{"id":9819,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4513\/revisions\/9819"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/4536"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=4513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=4513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=4513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}