Light Dark
December 13, 2022 By Chris Thompson 2 min read
Adversary Services
Security Services
Software Vulnerabilities
X-Force

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code.

The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide range of protocols. It has the potential to be wormable.

The vulnerability could allow attackers to remotely execute arbitrary code by accessing the NEGOEX protocol via any Windows application protocol that authenticates, such as Server Message Block (SMB) or Remote Desktop Protocol (RDP), by default. This list of affected protocols is not complete and may exist wherever SPNEGO is in use, including in Simple Message Transport Protocol (SMTP) and Hyper Text Transfer Protocol (HTTP) when SPNEGO authentication negotiation is enabled, such as for use with Kerberos or Net-NTLM authentication.

Unlike the vulnerability (CVE-2017-0144) exploited by EternalBlue and used in the WannaCry ransomware attacks, which only affected the SMB protocol, this vulnerability has a broader scope and could potentially affect a wider range of Windows systems due to a larger attack surface of services exposed to the public internet (HTTP, RDP, SMB) or on internal networks. This vulnerability does not require user interaction or authentication by a victim on a target system.

Microsoft has classed this vulnerability as “Critical,” with all categories rated at a maximum severity with the exception of “Exploit Complexity,” which is rated High, as it may require multiple attempts for successful exploitation. This brings the overall CVSS 3.1 score to “8.1.” Unpatched systems with the default configuration are vulnerable.

As part of its responsible disclosure policy, X-Force Red has worked with Microsoft on this reclassification. In order to give defenders time to apply the patches, IBM will refrain from releasing full technical details until Q2 2023.

Recommendations

Due to the widespread use of SPNEGO, we strongly recommend that users and administrators apply the patch immediately to protect against all potential attack vectors. The fix is included in September 2022 security updates and impacts all systems Windows 7 and newer.

Additional recommendations from X-Force Red include:

  • Review what services, such as SMB and RDP, are exposed to the internet.
  • Continuous monitoring of your attack surface, including Microsoft IIS HTTP web servers that have Windows Authentication enabled.
  • Limit Windows authentication providers to Kerberos or Net-NTLM and remove “Negotiate” as a default provider if the patch cannot be applied.

Learn more about IBM X-Force Red Adversary Simulation Services here.

Schedule a consult with X-Force here.

 |  |  |  |  | 
Chris Thompson
Global Head of X-Force Red

More from Adversary Services
March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

10 min read - Windows Defender Application Control (WDAC) is a security solution that restricts execution to trusted software. Since it is classified as a security boundary, Microsoft offers bug bounty payouts for qualifying bypasses, making it an active and competitive field of research.Typical outcomes of a WDAC bypass bug bounty submission:Bypass is fixed; possible bounty awardedBypass is not fixed but instead "mitigated" by being added to the WDAC recommended block list. Likely no bounty awarded but honorable mention is typically givenBypass is not…

January 6, 2025

Abusing MLOps platforms to compromise ML models and enterprise data lakes

15 min read - For full details on this research, see the X-Force Red whitepaper “Disrupting the Model: Abusing MLOps Platforms to Compromise ML Models and Enterprise Data Lakes”.Machine learning operations (MLOps) platforms are used by enterprises of all sizes to develop, train, deploy and monitor large language models (LLMs) and other foundation models (FMs), as well as the generative AI (gen AI) applications built on top of these models. The rush to leverage AI throughout enterprises has meant that security has been often…

September 4, 2024

Getting “in tune” with an enterprise: Detecting Intune lateral movement

13 min read - Organizations continue to implement cloud-based services, a shift that has led to the wider adoption of hybrid identity environments that connect on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). To manage devices in these hybrid identity environments, Microsoft Intune (Intune) has emerged as one of the most popular device management solutions. Since this trusted enterprise platform can easily be integrated with on-premises Active Directory devices and services, it is a prime target for attackers to abuse for conducting…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature