Security News > 2022 > April > Microsoft's huge Patch Tuesday includes fix for bug under attack

Microsoft's massive April Patch Tuesday includes one bug that has already been exploited in the wild and a second that has been publicly disclosed.
While its severity score didn't rank as high as some on today's list - it received a 7.8 CVSS score aka "Important" - Microsoft stated its attack complexity low.
Though CVE-2022-24521 has been exploited, its exploit code is not public, according to Microsoft.
This flaw, which occurs in Windows User Profile Service, received a CVSS severity score of 7.0, aka important, and Microsoft ranked its attack complexity as high because "Successful exploitation of this vulnerability requires an attacker to win a race condition." That might explain why no one's exploited it yet.
The most severe bug of the bunch is a high-severity flaw in Framework that could allow an attacker to escalate privilege with no additional execution privileges needed, according to the security advisory.
Since the Java RCE vuln was first discovered last month, it's been a race between defenders, trying to patch buggy products, and attackers attempting to exploit holes in said products and unleash all types of malware.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/04/13/microsoft_patch_tuesday/
Related news
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- April 2025 Patch Tuesday forecast: More AI security introduced by Microsoft (source)
- Microsoft April 2025 Patch Tuesday fixes exploited zero-day, 134 flaws (source)
- Patch Tuesday: Microsoft Fixes 134 Vulnerabilities, Including 1 Zero-Day (source)
- New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint (source)
- March 2025 Patch Tuesday forecast: A return to normalcy (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- Hidden Threats: How Microsoft 365 Backups Store Risks for Future Attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-04-15 | CVE-2022-24521 | Unspecified vulnerability in Microsoft products Windows Common Log File System Driver Elevation of Privilege Vulnerability | 0.0 |