Skip to content
New Report: Get your copy of The 2024 State of the Internet Report! | Download Today
Blogs

CVE-2022-26809: Microsoft RPC Remote Code Execution

 

Introduction

On April 12th, 2022, Microsoft announced a fix for a vulnerability targeting Windows hosts running the Remote Procedure Call Runtime (RPC) commonly used with Windows SMB. This vulnerability has been given a CVSS score of 9.8 (critical) as the attack does not require authentication and can be executed remotely over a network, and can result in remote code execution (RCE).

The vulnerability was assigned CVE-2022-26809, and administrators can find more information on Microsoft’s MSRC. Details on the exact vulnerability are currently fuzzy as bad actors may use this information to create a wormable exploit if too much information is divulged to the public. We know that Windows hosts running SMB are vulnerable to this attack, and host owners should follow Microsoft’s guide to securing SMB traffic in Windows. While it seems the vulnerability exists in any service that utilizes the Microsoft RPC mechanisms, SMB (port 445) is the most used and, thus, the most likely target of an attack.

A Censys View

Censys data shows that as of April 13th, 2022, 1,304,288 hosts are running the SMB protocol, 824,011 (63%) of which were identified as running a Windows-based operating system. Readers should note that Censys could not determine the running OS for approximately 369,485 (28%) hosts running SMB.

Top Five Countries Running SMB

Country Host Count
United States 366,236
Russia 144,622
Hong Kong 72,885
Germany 70,980
France 56,659

Top Five Autonomous Systems Running SMB

AS Name AS Number Host Count
ROSTELECOM-AS AS12389 92,783
PEGTECHINC AS54600 52,200
EGIHOSTING AS18779 50,429
OVH AS16276 45,189
HINET Data Communications AS3462 41,428

For Censys Customers

A risk for exposed SMB services already exists for Censys ASM customers, but in light of this vulnerability, we have increased the criticality from “high” to “critical” along with a note about this CVE.

Updates

Censys will continue to monitor this issue, and update this post accordingly.

About the Author

Mark Ellzey
Senior Security Researcher All posts by Mark Ellzey
Mark Ellzey is a Senior Security Researcher at Censys. Before his current role, Mark has worked as both a network security engineer and software developer for several internet service providers and financial institutions for over 22 years.
Attack Surface Management Solutions
Learn more