Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Active Exploitation of Windows LSA Spoofing Vulnerability
Alerts

Active Exploitation of Windows LSA Spoofing Vulnerability

6 July 2022

There have been reports of active exploitation of a Windows Local Security Authority (LSA) spoofing vulnerability (CVE-2022-26925) that is confirmed to be a new PetitPotam Windows NT LAN Manager (NTLM) Relay attack vector.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to call a method on the Local Security Authority Remote Procedure Call (LSARPC) interface and coerce the domain controller to authenticate the attacker using NTLM, allowing the attacker to possibly take over the entire Windows domain.

Users and administrators are advised to apply the relevant security update, which will help to detect anonymous connection attempts in LSARPC and disallow them. Users and administrators are also advised to conduct any necessary testing to ensure that the application of the update will not cause any service authentication problems within their environment.

References:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26925
https://nvd.nist.gov/vuln/detail/CVE-2022-26925



Back to top