On 11th January 2022 (as part of patch Tuesday) Microsoft released patches for 97 CVE-numbered vulnerabilities, including a wormable remote code execution in Windows Server (CVE-2022-21907). This means an attacker could utilise the HTTP Protocol Stack (http.sys) on a server inside your network to run malicious code without asking for permission first.
The vulnerability has been given a 9.8 CVSSv3 score; patching affected servers should be prioritised immediately (Windows 10 and 11 and Server 2019 and 2022).
The flaw has not yet been exploited, but it has been rated as ‘Exploitation More Likely’ according to Microsoft’s Exploitability Index.
We would also like to remind you that similar vulnerabilities exist in Windows 7 and 8, as well as Server 2003 and 2008. However, as these are end of life they are no longer reported by Microsoft and no further patches are developed. If you currently operate with any of these legacy operating systems, we encourage you to discuss upgrade options with your account team as soon as possible.
Microsoft have retracted their Windows Server updates due to critical bugs. We will apply the update as soon as a patch has been released.
We will continue to apply patching for Windows 10 Desktops.