Threat 

Remote Code Execution through Microsoft RPC 

Vulnerability 

Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVE-2022-26809)¹ 

• CVSS – 9.8 CRITICAL 
• Vulnerability Publication Date – 4/12/2022 
• Exploits Available – Most Likely  

Description 

Of the 128 vulnerabilities in Microsoft’s April patch, 10 have a critical severity but CVE-2022-26809 is raising the most concern. The vulnerability affects windows hosts running Remote Procedure Call Runtime (RPC)². Server Message Block (SMB)³ protocol is commonly used in conjunction with RPC, causing TCP port 445 a likely attack vector.   

This vulnerability can result in remote code execution and allows for self-propagating exploits. WORMs require no user interaction to spread throughout a company’s network. There is little information currently to determine if this vulnerability is being actively exploited, but with the potential to spread, it would only seem a matter of time before it is used in attacks.  

Recommendations / Remediation 

Contact FortifyData for a demonstration and discussion on how we can identify this vulnerability through our internal risk assessment.

Block TCP port 445 at the enterprise perimeter firewall⁴ 

Install KB5012666: Windows Server 2012 Security Update (April 2022) 

**These are generalized recommendations that may not be effective for all organizations and environments. ** 

References 

1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26809 
2. https://docs.microsoft.com/en-us/windows/win32/rpc/rpc-start-page 
3. https://docs.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview#:~:text=The%20Server%20Message%20Block%20(SMB,is%20a%20dialect%20of%20SMB. 
4. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809