Researchers have identified a Windows code execution vulnerability that has the potential to rival EternalBlue, a Windows security issue used to ignite WannaCry, which took down computer networks around the world in 2017.

The newly discovered vulnerability is listed as CVE-2022-37958. It allows an attacker to run malicious code without authentication, similar to EternalBlue.

The vulnerability is also wormable, like the notorious ransomware variant, which means that a single attack can start a chain reaction of self-replicating assaults on additional susceptible devices. EternalBlue’s wormability enabled WannaCry and other assaults to spread across the globe in minutes without requiring user involvement.

How it works

“An attacker can trigger the vulnerability via any Windows application protocols that authenticates”, said Valentina Palmiotti, the IBM security researcher who found the code-execution flaw and gave an interview explaining how it works.

“For example, the vulnerability can be triggered by trying to connect to an SMB share or via Remote Desktop. Some other examples include Internet-exposed Microsoft IIS servers and SMTP servers that have Windows Authentication enabled. Of course, they can also be exploited on internal networks if left unpatched.”

Inaccurate designation

Microsoft released a fix for CVE-2022-37958 in September’s Patch Tuesday. However, at the time, researchers believed that the vulnerability only allowed the disclosure of potentially sensitive information, and designated it as ‘Important’ as a result.

When analyzing the vulnerabilities after the patch was issued, Palmiotti found that the threat allowed remote code execution (RCE) in much the same way EternalBlue did. Last week, Microsoft changed the designation from ‘Important’ to ‘Critical’ with a severity rating of 8.1, the same score as EternalBlue.

Despite the newfound threat, Palmiotti sounded optimistic. “While EternalBlue was an 0-Day, luckily this is an N-Day with a three month patching lead time”, the researcher said.

Tip: What we learned from billions of IBM data points tracking cybercrime