Microsoft’s Patch Tuesday in April 2022

This month’s Patch Tuesday release includes fixes for 117 CVEs – nine rated critical and two zero-days, one of which has already been exploited and Microsoft was reported by the National Security Agency.

Microsoft has fixed CVE-2022-24521, an elevation of privilege vulnerability in the Windows Common Log File System driver which received a CVSSv3 score of 7.8 and was exploited as zero-day. Although there is no further information on the exploitation of CVE-2022-24521, we do know that CrowdStrike and the NSA are involved in the discovery of this vulnerability.

Additionally, Microsoft has closed CVE-2022-26904, an elevation of privilege vulnerability in the User Profile Service. Although exploiting this vulnerability requires an attacker to time their attack perfectly in order to win a race condition, Microsoft has classified it as “Exploitation more likely”.

Also note that versions 4.5.2, 4.6 and 4.6.1 of Microsoft’s .NET Framework and windows 10 Version 20H2 will soon be reaching the end of support. Users are strongly advised to update their systems to ensure that they continue to receive updates.

Microsoft fixes 117 CVEs in its April 2022 Patch Tuesday release, including two zero-day vulnerabilities, one of which was exploited in the wild and reported to Microsoft by the National Security Agency.

This month’s update includes fixes for:

.NET Framework

Active Directory Domain Services

Azure SDKs

Azure site recovery

LDAP – Lightweight Directory Access Protocol

Microsoft Bluetooth Driver

Microsoft Dynamics

Microsoft Edge (Chromium-based)

Microsoft Graphics Component

Microsoft Local Security Authority Server (lsasrv)

Microsoft Office Excel

Microsoft Office SharePoint

Microsoft Windows ALPC

Microsoft Windows Codec Library

Microsoft Windows Media Foundation

BI power

Role: DNS server

Role: Windows Hyper-V

Skype for Business


Visual Studio Code

Windows Companion Driver for WinSock

Windows app store

Windows AppX Package Manager

Windows Cluster Client Failover

Windows Cluster Shared Volume (CSV)

Windows Common Log File System Driver

Windows Defender

Windows DWM Core Library

Windows Device Configuration Manager

Create a Windows Fax form

Windows Feedback Center

Windows File Explorer

Windows file server

Windows installer

Windows iSCSI Target Service

Windows Kerberos

windows kernel

Windows Local Security Authority Subsystem Service

Windows Media

Windows Network File System


Windows Print Spooler Components

Windows RDP

Windows Remote Procedure Call Execution Environment

Windows channel

SMB Windows

Windows Telephony Server

Windows Upgrade Assistant

Windows User Profile Service


Windows Work Folders Service

YARP Reverse Proxy

Count by impact

Elevation of Privilege (EoP) vulnerabilities accounted for 39.3% of vulnerabilities patched this month, followed by Remote Code Execution (RCE) vulnerabilities at 39.3%.


CVE-2022-24521 and CVE-2022-24481 | Windows Common Log File System Driver Elevation of Privilege Vulnerabilities

CVE-2022-24521 is an EoP vulnerability in the Windows Common Log File System (CLFS) driver for Microsoft Windows. EoP vulnerabilities like these are exploited post-authentication after an attacker has successfully gained access to a vulnerable system to gain elevated privileges. According to Microsoft, this vulnerability was exploited as a zero-day vulnerability, although we don’t have further details on how it was exploited. However, we do know that the vulnerability was reported to Microsoft by the National Security Agency along with CrowdStrike researchers. Organizations should ensure that they apply available patches as soon as possible. CVE-2022-24481 is another CLFS driver EoP that received the same CVSSv3 score of 7.8 and was rated “Exploitation more likely” by Microsoft’s Exploitability Index. However, it is not zero day.


CVE-2022-26904 | Windows User Profile Service Elevation of Privilege Vulnerability

CVE-2022-26904 is an EoP vulnerability in Windows User Profile Service. She received a CVSSv3 score of 7.0, which classifies her severity as significant. The attack complexity for this vulnerability is rated high because it “forces an attacker to win a race condition.” Despite its greater complexity, it is still classified as “Exploitation more likely”. This is the second of two zero days this month, as details of this vulnerability were made public before a fix was available.


CVE-2022-24491 | Windows Network File System Vulnerability (Remote Code Execution)

CVE-2022-24491 is a critical Windows Network File System (NFS) RCE vulnerability that has been assigned a CVSSv3 score of 9.8 and a more likely exploit rating. A remote, unauthenticated attacker could exploit this vulnerability by sending specially crafted NFS protocol network messages to a vulnerable system. Only systems with the NFS role enabled are vulnerable to exploiting the vulnerability; However, organizations should still apply the patch to all systems to ensure that they are protected.


CVE-2022-26809 | Remote Code Execution Vulnerability When Executing a Remote Procedure Call

CVE-2022-26809 is a critical RCE vulnerability in the Remote Procedure Call (RPC) runtime. She received a CVSSv3 score of 9.8. A remote, unauthenticated attacker could exploit this vulnerability by sending “a specially crafted RPC call to an RPC host”. However, if a fix is ​​not possible, Microsoft recommends blocking TCP port 445 on the perimeter firewall to thwart attempts to exploit this vulnerability. Despite these mitigations, systems “may still be vulnerable to attack from the corporate environment.”


CVE-2022-26817 and CVE-2022-26814 | Windows DNS Server Remote Code Execution Vulnerabilities

CVE-2022-26817 and CVE-2022-26814 are RCE vulnerabilities in Windows DNS Server affecting Active Directory Domain Services, both of which received a CVSSv3 score of 6.6 and were discovered by Yuki Chen using by Cyber ​​KunLun. Exploitation of this vulnerability is rated as “less likely”, which could be related to the greater complexity of the attack and the required authorizations. To successfully exploit this vulnerability, an attacker on the target network who has permission to query the domain name service must win a race condition. Only if he perfectly exploits this vulnerability in time can he reach RCE. Fixes have been released for supported versions for Windows Server and Windows Server Core installations.


15 Windows Print Spooler Elevation of Privilege Vulnerabilities

This month, Microsoft patched 15 EoP vulnerabilities in print spooler components, all of which received a CVSSv3 score of 7.8. Three of the vulnerabilities were discovered by George Hughey of the Microsoft Security Response Center Vulnerabilities and Mitigation, and the other 12 were discovered by Microsoft Offensive Research and Security Engineering. Although Microsoft categorizes these vulnerabilities as “less likely to be exploited”, attackers have exploited EoP vulnerabilities in Print Spooler in the past.
















End of support imminent

In the coming weeks, the .NET Framework and Windows 10 releases will no longer receive updates or support. On April 26, support for .NET Framework 4.5.2, 4.6, or 4.6.1 will end because they use the less secure Secure Hash Algorithm 1 (SHA-1). On May 10, version 20H2 of Windows 10 will reach end of support. Users are advised to update to the most recent versions to ensure they continue to receive important security updates.

Sustainable solutions

Users can create analytics specifically focused on our Patch Tuesday plugins. In a new advanced analysis on the Plugins tab, set an advanced filter for the name of the plugin containing April 2022.

With this set of filters, click on the plugin families on the left and activate each plugin that appears on the right. Note: If the families on the left say “Enabled”, all plug-ins in that family are enabled. Disable the whole family before selecting each plugin for this analysis. Here is an example from

A list of all plugins released for Tenable’s April 2022 Patch Tuesday Update can be found here. As always, we recommend that you patch systems as soon as possible and regularly scan your environment to identify systems that still need to be patched.

Leave a Comment