Security News > 2022 > January > Microsoft: New critical Windows HTTP vulnerability is wormable

Microsoft has patched a critical flaw tagged as wormable and found to impact the latest desktop and server Windows versions, including Windows 11 and Windows Server 2022.
The bug, tracked as CVE-2022-21907 and patched during this month's Patch Tuesday, was discovered in the HTTP Protocol Stack used as a protocol listener for processing HTTP requests by the Windows Internet Information Services web server.
Successful exploitation requires threat actors to send maliciously crafted packets to targeted Windows servers, which use the vulnerable HTTP Protocol Stack for processing packets.
On some Windows versions, the HTTP Trailer Support feature containing the bug is not enabled by default.
In the last two years, Microsoft has patched several other wormable bugs, impacting the Windows DNS Server, the Remote Desktop Services platform, and the Server Message Block v3 protocol.
Redmond also addressed another Windows HTTP RCE vulnerability in May 2021, for which security researchers released demo exploit code that could trigger blue screens of death.
News URL
Related news
- Microsoft Patches 125 Flaws Including Actively Exploited Windows CLFS Vulnerability (source)
- Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’ (source)
- Microsoft: Recent Windows updates make USB printers print random text (source)
- Microsoft patches Windows Kernel zero-day exploited since 2023 (source)
- Microsoft: March Windows updates mistakenly uninstall Copilot (source)
- New Critical AMI BMC Vulnerability Enables Remote Server Takeover and Bricking (source)
- Microsoft fixes Windows update bug that uninstalled Copilot (source)
- IBM scores perfect 10 ... vulnerability in mission-critical OS AIX (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Microsoft lifts Windows 11 upgrade block after Asphalt 8 crash fix (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-01-11 | CVE-2022-21907 | Unspecified vulnerability in Microsoft products HTTP Protocol Stack Remote Code Execution Vulnerability | 0.0 |