Threat Watch

Microsoft Warns of Active Exploitation of CVE-2022-26925

As part of its Patch Tuesday update yesterday, Microsoft released an update for all Windows versions that included fixes for 73 security flaws. One of these vulnerabilities, CVE-2022-26925, is a potentially critical vulnerability that Microsoft has warned is already being exploited in the wild. If a threat actor is able to insert themselves in the middle of a network path utilizing Man in the Middle (MITM) attack techniques, an unpatched server is vulnerable to Windows Local Security Authority (LSA) spoofing that can coerce the server to authenticate via NTLM relay. However, existing attack techniques such as PetitPotam can be chained with the attack on the LSARPC interface in order to accomplish remote access and privilege escalation within a network. The security update detects anonymous connection attempts in the LSARPC interface and disallows them.

ANALYST NOTES