cbcvebase.
CVE-2022-30136
published 2022-06-15

CVE-2022-30136: Windows Network File System Remote Code Execution Vulnerability

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
74.68%
99.4th percentile
Windows Network File System Remote Code Execution Vulnerability

Affected

9 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2012
microsoftwindows_server_2012>= 6.2.9200.0 < 6.2.9200.237366.2.9200.23736
microsoftwindows_server_2012_r2>= 6.3.9600.0 < 6.3.9600.204026.3.9600.20402
microsoftwindows_server_2016>= 10.0.14393.0 < 10.0.14393.519210.0.14393.5192
microsoftwindows_server_2019>= 10.0.17763.0 < 10.0.17763.304610.0.17763.3046
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_server_2019

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2022-30136 is exploitable only via NFSv4.1; NFSv2.0 and NFSv3.0 are NOT affected. Detection should focus on unauthenticated, specially crafted NFS calls targeting NFSv4.1.
  • Talos released a Snort rule set specifically detecting exploitation attempts for CVE-2022-30136 and related June 2022 Patch Tuesday vulnerabilities. Cisco Secure Firewall customers should update their SRU; open-source Snort Subscriber Rule Set customers should download the latest rule pack from Snort.org.
  • The vulnerability is not exploitable in NFSv2.0 or NFSv3.0; scope detection/blocking to NFSv4.1 traffic only.
  • ·Disabling NFSv4.1 as a temporary mitigation requires the May 2022 Windows security updates (addressing CVE-2022-26937) to already be installed first; applying the mitigation without those updates leaves NFSv2.0 and NFSv3.0 critically vulnerable.
  • ·The PowerShell command to disable NFSv4.1 as a temporary mitigation is: Set-NfsServerConfiguration -EnableNFSV4 $false — followed by an NFS server restart or machine reboot.
  • ·Exploitation likelihood is rated 'More Likely' for both latest and older software releases, meaning active exploitation attempts should be anticipated even before public PoC is confirmed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.