SOCRadar® Cyber Intelligence Inc. | Critical RCE Vulnerability in Microsoft RPC Could Be a Big Issue


Apr 15, 2022
4 Mins Read

Critical RCE Vulnerability in Microsoft RPC Could Be a Big Issue

The critical RCE vulnerability in the Microsoft RPC (Remote Procedure Call) communication protocol raises concerns among cybersecurity experts. A patch was released on April Patch Tuesday for the vulnerability with CVE-2022-26809 and a CVSS score of 9.8.

Cybersecurity researchers point out that any command with the same privilege level as the RPC server can be executed and allow full admin access when the vulnerability is exploited.

The vulnerability provides ideal conditions for threat actors to perform the lateral movement on the network. This supports the view that ransomware gangs will frequently exploit it in the future.

Ransomware groups pose a threat to businesses across a wide range of industries, and it is challenging to mitigate the impact of an assault once it has occurred. Use SOCRadar Threat Feed & IoC Management to prevent ransomware attacks and others.

How Does the Vulnerability Affect?

Microsoft Remote Procedure Call (RPC) allows processes to communicate with each other even if they are running on another device. It uses ports 445 and 135 of the RPC hosts to accomplish this. This makes it easier for threat actors to spread through the system once they reach the RPC server.

Cybersecurity researchers are almost sure that this vulnerability will be exploited widely. They think that something similar to the Blaster worm in 2003 and the Wannacry attacks in 2017 could happen.

Who is Vulnerable?

Machines that are vulnerable worldwide. (Source: Shodan)
Machines that are vulnerable worldwide. (Source: Shodan)

All unpatched Windows machines with port 445 open to the internet are currently vulnerable. According to Shodan, over 700,000 Windows machines expose to the internet with this port.

Antoni Cocomazzi of Sentinel One explained that the vulnerability was successfully exploited on a private RPC server.

In his tweet, Cocomazzi says that the vulnerability could be exploited on the RPC server.
In his tweet, Cocomazzi says that the vulnerability could be exploited on the RPC server. (Source: Twitter)

It is still unclear what conditions must meet for the vulnerability to be exploited. The researchers continue the analysis process.

Get free access to ThreatFusion to learn about potential vulnerabilities of your products or technologies before threat actors and take timely action.

Third-Party Apps May Also Be Affected

The fact that the vulnerable “rpcrt4.dll” is used not only by Microsoft services but also by many other applications suggests that the vulnerability may also affect third-party applications. Even if Windows ports are closed, backup services, antivirus programs, and endpoint software may be vulnerable.

Vulnerability analyst Will Dormann also recommends blocking 445 ports as a mitigation measure. (Source: Twitter)

Microsoft’s security updates are strongly advised to be applied urgently for this and other vulnerabilities.

Discover SOCRadar® Free Edition

With SOCRadar® Free Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.
Get free access.