Security News > 2022 > December > Critical Microsoft Code-Execution Vulnerability
A critical code-execution vulnerability in Microsoft Windows was patched in September.
Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required.
Which could be exploited when using only the SMB, or server message block, a protocol for file and printer sharing and similar network activities, this latest vulnerability is present in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability.
At the time Microsoft researchers believed the vulnerability allowed only the disclosure of potentially sensitive information.
Microsoft gave the vulnerability a designation of "Important." In the routine course of analyzing vulnerabilities after they're patched, Palmiotti discovered it allowed for remote code execution in much the way EternalBlue did.
Last week, Microsoft revised the designation to critical and gave it a severity rating of 8.1, the same given to EternalBlue.
News URL
https://www.schneier.com/blog/archives/2022/12/critical-microsoft-code-execution-vulnerability.html
Related news
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
- CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) (source)
- Mozilla Patches Critical Firefox Bug Similar to Chrome’s Recent Zero-Day Vulnerability (source)
- Microsoft Patches 125 Flaws Including Actively Exploited Windows CLFS Vulnerability (source)
- Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’ (source)
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- ActiveX blocked by default in Microsoft 365 because remote code execution is bad, OK? (source)
- Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- Week in review: Microsoft patches 5 actively exploited 0-days, recently fixed Chrome vulnerability exploited (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-13 | CVE-2022-37958 | Unspecified vulnerability in Microsoft products SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability | 0.0 |