Vendor Vulnerabilities Published In April 2022

Vendor Vulnerabilities are a common cybersecurity challenge businesses face when introducing third-party products and services to their network.

Whether it’s a security flaw located in a network, server or application, businesses relying on third party vendors are often the ones left to resolve the issues.

To support you in resolving known vulnerabilities as quickly as possible, we have outlined some of the main third-party vendor vulnerabilities announced in April 2022. These include:


  1. Microsofts’ monthly patches
  2. Git security vulnerability
  3. Adobe vulnerability patches
  4. Google Chrome Zero-Day Vulnerability


1. Microsoft Patch Tuesday

This month sees Microsoft patch 145 vulnerabilities, including 3 rated critical at 9.8 and seven at 7.7 and above.


Immediate Patch Recommended for CVE-2022-26809

CVE-2022-26809 is an RPC Runtime Library Remote Code Execution Vulnerability. The flaw, which is rated 9.8 on the CVSS scale, could allow a remote attacker to execute code at high privileges on an affected system.

We are currently monitoring this vulnerability and will add any updates here.


Other Microsoft Vulnerabilities of Interest


CVE-2022-24491 and CVE-2022-24497- Windows Network File System Remote Code Execution Vulnerability

CVE-2022-24491 and CVE-2022-24497 are also rated a 9.8 and are listed as ‘exploitation more likely’.

On systems where the Windows Network File System (NFS) role is enabled, both vulnerabilities could allow a remote attacker to execute their code on an affected system with high privileges and without any user interaction.


CVE-2022-26904 - Windows User Profile Service Elevation of Privilege Vulnerability


CVE-2022-26904, a privilege escalation vulnerability, allows an attacker to gain code execution at system level on affected systems.

Microsoft has categorised this vulnerability as high complexity in order to exploit the bug. Proof of Concept (PoC) code is also available for this vulnerability.


CVE Title Severity CVSS
CVE-2022-26809 RPC Runtime Library Remote Code Execution Vulnerability Critical 9.8
CVE-2022-24491 Windows Network File System Remote Code Execution Vulnerability Critical 9.8
CVE-2022-24497 Windows Network File System Remote Code Execution Vulnerability Critical 9.8
CVE-2022-23259 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Critical 8.8
CVE-2022-24541 Windows Server Service Remote Code Execution Vulnerability Critical 8.8
CVE-2022-24500 Windows SMB Remote Code Execution Vulnerability Critical 8.8
CVE-2022-23257 Windows Hyper-V Remote Code Execution Vulnerability Critical 8.6
CVE-2022-26919 Windows LDAP Remote Code Execution Vulnerability Critical 8.1
CVE-2022-22008 Windows Hyper-V Remote Code Execution Vulnerability Critical 7.7
CVE-2022-24537 Windows Hyper-V Remote Code Execution Vulnerability Critical 7.7

As with all security vulnerabilities it’s recommended to apply the patches as soons as possible to prevent cyber security attacks or breaches.



2. Git Security Vulnerability

On 12th April, several vulnerabilities were discovered in Git, including two main flaws which affect local Git installations and Git for Windows.


CVE-2022-24765

CVE-2022-24765 is the worst of the two main flaws which allows an attacker to execute arbitrary commands. Users who work on multi-user machines are most at risk of this vulnerability.

Commenting on the vulnerability, Githhub added that “a malicious actor could create a .git directory in a shared location above a victim’s current working directory. On Windows, for example, an attacker could create C:.git\config, which would cause all git invocations that occur outside of a repository to read its configured values.

Since some configuration variables (such as core.fsmonitor) cause Git to execute arbitrary commands, this can lead to arbitrary command execution when working on a shared machine.”


CVE-2022-24767

The second vulnerability, CVE-2022-24767, is limited to the Git for Windows uninstaller, which runs within the user's temporary directory.

In their press release on the matter, Github noted that “Because the system user account inherits the default permissions of C:\Windows\Temp (which is world-writable), any authenticated user can place malicious .dll files which are loaded when running the Git for Windows uninstaller when run via the system account.”


Git Upgrade is Advised

Git users are advised to upgrade their systems to Git v2.35.2 or higher in order to protect their systems against potential cyber security attacks.

Users who use Linux or macOS are also advised to upgrade, given that they are affected by the second flaw described above.



3. Adobe Vulnerability Patches

Adobe released patches addressing 70 CVEs in a number of their applications including Acrobat, Acrobat Reader, Photoshop, After Effects and Adobe Commerce.


Acrobat and Acrobat Reader Vulnerabilities

Acrobat and Acrobat Reader vulnerabilities account for 62 of the 70 CVEs being addressed in the April patch.

The vulnerabilities, which have been awarded a Critical rating by Adobe, are described as use after free (UAF and Out of Bounds (OOB) vulnerabilities, which could potentially allow a malicious attacker to execute code on a target system if a user can be convinced to open a specifically crafted PDF document.


Photoshop Vulnerabilities

The Adobe patch included fixes for 13 CVEs for Photoshop. These vulnerabilities could allow a malicious actor to gain code execution once a user has been convinced of opening a specifically crafted malicious file.


After Effects Vulnerabilities

Two critical rated CVEs in After Effects were addressed in the latest patch. Both bugs have been listed as stack-based buffer overflows.


Adobe Commerce Vulnerabilities

Adobe Commerce was patched for one critically rated vulnerability. The vulnerability, rated with a CVSS of 9.1, requires authentication and admin privileges in order to exploit this vulnerability.



4. Google Chrome Zero-Day Vulnerability

Only days ago, Google rolled out its third emergency update of the year addressing another critical zero-day affecting its Chrome web browser, CVE-2022-1364.

This patch comes weeks after another critical zero-day known as CVE-2022-1096.

The affected V8 component is an open-source JavaScript engine used in Google Chrome and other Chromium based browsers including Microsoft Edge.

Google has identified the CVE-2022-1364 vulnerability as high severity but, like the previous vulnerability, little information is available as to whether is being actively exploited by malicious attackers.


Installing Patches


Google Chrome

To check that your Google Chrome browser has been updated to version 100.0.4896.127 or higher, navigate to Chrome Menu > Help > About Google Chrome.


Microsoft Edge

To check that your Microsoft Edge Browser has been updated to version 99.0.1150.55, navigate to settings/about. If the version is 100.0.4896.127 or higher, it is no longer vulnerable to the zero-day issue.

Chromium powers a large number of browsers including Opera, Vivaldi, Brave and Colibri. It is expected that updates will be pushed out over the coming days.


How can we help?

Identifying cyber security vulnerabilities without an expert’s eye can be a difficult task.

At Secora Consulting, we offer a wide range of services which we tailor to meet our clients individual requirements.


Cyber Hygiene Assessment

Our Cyber Hygiene Assessment can support you in reducing exposure to cyber-attacks by gaining insight into weaknesses in your current cyber security posture and putting in place some good practice controls to increase your cyber defenses.


Vulnerability Assessment

Our Vulnerability Assessment service can provide you with a prioritised list of your vulnerabilities and easy to follow remediation advice to immediately improve your cyber security posture.


Partner With Us Today

Partner with us today, our experienced consultants will go the extra mile to ensure your organisation stays secure by:

  • Validating implemented security controls
  • Prioritising your risks based on their exploitability and impact
  • Providing expert and effective advice to immediately improve your cybersecurity posture
watermark secora outline

Our services

All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.

Secure your success.

If you have any questions or are unsure if the steps you are taking to help keep your organisation secure are working, please reach out to us.