Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Issues Out-of-Band Patch for Flaw Allowing Lateral Movement, Ransomware Attacks

Microsoft this week released an out-of-band security update for its Endpoint Configuration Manager solution to patch a vulnerability that could be useful to malicious actors for moving around in a targeted organization’s network.

Microsoft this week released an out-of-band security update for its Endpoint Configuration Manager solution to patch a vulnerability that could be useful to malicious actors for moving around in a targeted organization’s network.

The vulnerability is tracked as CVE-2022-37972 and it has been described by Microsoft as a medium-severity spoofing issue. The tech giant has credited Brandon Colley of Trimarc Security for reporting the flaw.

In its advisory, Microsoft said there is no evidence of exploitation, but the vulnerability has been publicly disclosed.

Prajwal Desai has published a brief blog post describing the patch, but Colley told SecurityWeek that he has yet to make public any information and noted that he has been working with Microsoft on coordinated disclosure. The researcher believes that Microsoft’s advisory says the issue has been publicly disclosed because the tech giant is aware that he will talk about it at the BSidesKC conference this weekend.

The researcher expects a blog post detailing CVE-2022-37972 to only be published in November. However, he noted that it’s related to an issue described in a July blog post focusing on the attack surface of Microsoft System Center Configuration Manager (SCCM) client push accounts.

SCCM is the previous name of Microsoft Endpoint Configuration Manager (MECM), an on-premises management solution for desktops, servers and laptops, allowing users to deploy updates, apps, and operating systems. One method for deploying the needed client application to endpoints is client push installation, which enables admins to easily and automatically push clients to new devices.

In the July blog post, Colley showed how an attacker with admin privileges on one endpoint could abuse client push installation design flaws to obtain hashed credentials for all configured push accounts.

He warned that since some of these accounts could have domain admin or elevated privileges on several machines in the enterprise, they can be leveraged by threat actors for lateral movement and even as part of a disruptive ransomware attack.

The attack is possible, in part, due to a setting that allows connections to fall back to the less secure NTLM authentication protocol.

NTLM setting vulnerability in Microsoft Endpoint Configuration Manager

The MECM vulnerability patched this week by Microsoft with an out-of-band update is related to the use of NTLM authentication. The researcher explained that before Microsoft fixed the flaw, it was possible to force NTLM authentication for the client push account.

“Prior to this patch, it was possible for an attacker to bypass the NTLM connection fallback setting which was previously thought to have prevented the type of attack in my July blog,” Colley told SecurityWeek.

The US Cybersecurity and Infrastructure Security Agency (CISA) has urged administrators to review Microsoft’s advisory and apply the necessary updates.

Related: Microsoft Patch Tuesday: 84 Windows Vulns, Including Already-Exploited Zero-Day

Related: Already Exploited Zero-Day Headlines Microsoft Patch Tuesday

Related: Microsoft Confirms Exploitation of ‘Follina’ Zero-Day Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.