Security News > 2023 > January > Exploit released for critical Windows CryptoAPI spoofing bug

Proof of concept exploit code has been released by Akamai researchers for a critical Windows CryptoAPI vulnerability discovered by the NSA and U.K.'s NCSC allowing MD5-collision certificate spoofing.

Unauthenticated attackers can exploit this bug in low-complexity attacks.

Today, security researchers with the Akamai cloud security firm have published a proof of concept exploit and shared an OSQuery to help defenders detect CryptoAPI library versions vulnerable to attacks.

Should an attack using a CVE-2022-34689 exploit be successful, it could also provide attackers with the ability to perform man-in-the-middle attacks and decrypt confidential information on user connections to the affected software, such as web browsers that use Windows' CryptoAPI cryptography library.

"There is still a lot of code that uses this API and might be exposed to this vulnerability, warranting a patch even for discontinued versions of Windows, like Windows 7. We advise you to patch your Windows servers and endpoints with the latest security patch released by Microsoft," Akamai said.

Exploit released for critical ManageEngine RCE bug, patch now.

News URL

https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-windows-cryptoapi-spoofing-bug/