Detect to protect: Reposify’s EASM flags exposed assets vulnerable to Microsoft SMB (CVE-2022-26809)

Detect to protect: Reposify’s EASM flags exposed assets vulnerable to Microsoft SMB (CVE-2022-26809)


Microsoft released over 100 security updates during its monthly patch cycle among them critical remote code execution (RCE) vulnerabilities located in Microsoft’s Server Message Block (SMB), a protocol used primarily for file sharing and inter-process communication including Remote Procedure Calls (RPCs).

The flaw, tracked as CVE-2022-26809, a CVSS 9.8 rated vulnerability in SMB, allows an attacker to send an RPC call to host with open SMB port and execute code remotely. The CVE-2022-26809 flaw is one of three RPC vulnerabilities Microsoft patched. The other two are tracked as CVE-2022-24492 and CVE-2022-24528.

How can these vulnerabilities affect my organization?

Successful exploitation of this vulnerability can enable attackers to access internal and external facing systems through remote access, all without authentication. In the case of the Microsoft vulnerabilities, the attacker will be able to execute code on the vulnerable machines with the privileges of the RPC service through the SMB port (445). The attack is relatively easy to carry out, and doesn’t require technical knowledge. The vulnerability also may allow attackers to move laterally and look for additional vulnerable systems or more vulnerabilities in the network.

The example of the above exploitation should raise alarm for CISOs. Reposify’s EASM platform enables real-time asset monitoring. In this example, more than 800,000 nodes with open SMB protocol have been identified using our Reposify EASM platform, some of which are hosted on systems with patch installed, though most of them are still not patched. These vulnerabilities could be a direct vector for malicious parties to take advantage of the unpatched systems — posing undue risk to an organization at large.

My company is vulnerable. What steps can I take to defend against these threats?

First, immediately install Microsoft security updates and make sure your organization’s Windows machines are updated. It’s critical that all companies avoid opening SMB outside of the organization’s perimeter, as this may only serve to enhance vulnerability.
As for what companies should do if they aren’t in a position to patch immediately, the best place any of us can start is preparedness. Organizations are limited to only protecting assets they know are there.  An EASM platform like Reposify’s empowers companies with precisely-mapped, comprehensive portrayal of their asset inventory. It frees up manpower critical to security teams as they grapple with RCE hacks like the one presented by Microsoft, allowing organizations to streamline response time by assessing where they are most vulnerable.

How Reposify’s EASM platform flags exposed unknown assets vulnerable to RPC/SMB threat

Reposify’s discovery mechanism empowers companies with precisely-mapped, comprehensive portrayal of their asset inventory. It frees up manpower critical to security teams as they grapple with the expanding attack surface. The platform maps the web in real-time, enabling security teams to detect unknown exposed assets that are vulnerable for Microsoft’s RCE threats and pose a risk to your organization. 

Reposify platform allows you to sort assets based on filters via GUI or API of your choosing, leveraging an intuitive user interface for easy navigation, identification, and asset monitoring.

Only by having an accurate inventory that takes the entire supply chain, third party vendors and subsidiaries into account can organizations achieve true perimeter security.
Think you’re vulnerable? Request a demo here.

Shlomi has been an information technology professional for over fifteen years with extensive experience with roles spanning across Software Development Life Cycle (SDLC), IT infrastructure, cryptography, security architecture, operations security, business continuity and Disaster Recovery Planning (DRP), legal, regulations, investigations and compliance, design DevOps (CI-CD process) to cloud platforms. Shlomi has worked on large complex InfoSec projects worldwide. He brings the expertise of defensive & offensive methodologies in cybersecurity. Shlomi is focused on excellence in all aspects of business and life and contributes his knowledge in technical documentation including Cloud Security Alliance (CSA).


Ready to discover your External Attack Surface?

Read Next

Out of sight, out of mind: why EASM is the foundation of Zero Trust architecture

"While Zero Trust enables secure communications in-office, EASM can help reflect what is exposed in real time and provide a clear list of external facing applications, users, remote connections and network infrastructure identified" Our Director of Security Research Dor Levy points out the gaps in Zero Trust architecture, highlighting the critical need for #EASM to ensure that policies are applied to all assets in an organization, known or unknown. Read his full blog

The Risks Of Expired SSL Certificates

SSL certificates are essential to encrypting internet traffic and verifying server identities. In spite of the available certificate management tools, cyber incidents related to expired SSL certificates are on the rise, suggesting that managing SSL certificates may not be as simple as it appears. Read what are the risks expired SSL certificates hold, why it is difficult to renew SSL certificates in time, and how EASM can help.

Curious about EASM? Here’s where to begin

EASM touches nearly every corner of a strong cybersecurity posture. With solutions abound, we've handpicked H1 2022's top articles on EASM.