cbcvebase.
CVE-2022-34715
published 2022-08-09

CVE-2022-34715: Windows Network File System Remote Code Execution Vulnerability

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
80.10%
99.6th percentile
Windows Network File System Remote Code Execution Vulnerability

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2022>= 10.0.20348.0 < 10.0.20348.88710.0.20348.887
msrcwindows_server_2022

Detection & IOCsextracted from sources · hover to see the quote

commandSet-NfsServerConfiguration -EnableNFSV4 $false
commandnfsadmin server stop
  • Inspect ONC RPC traffic for NFS Program field value 100003, Procedure field value 1 (COMPOUND), and Program Version field value 4 (NFS4) — these identify NFSv4 COMPOUND requests that must be further inspected.
  • Within qualifying NFSv4 COMPOUND requests, check each operation for vulnerable opcodes OP_CREATE(6), OP_OPEN(18), or OP_SETATTR(34) carrying ACL attribute data (Bit12 / 0x1000 in the attributes bitmap).
  • Flag as suspicious any NFSv4 COMPOUND request where the ACE_Count field in ACL attribute data exceeds 0x8000000 — this is the integer-truncation trigger for the heap buffer overflow.
  • There is no fixed offset to skip non-vulnerable opcodes; the full NFS COMPOUND message must be parsed to locate ACL attribute data, because NFS operations do not carry a consistent per-operation length field.
  • The vulnerability is only exploitable on systems with the NFS role enabled and specifically affects NFS version 4.0 (NFSv4.1); NFSv2.0 and NFSv3.0 are not affected.
  • ·The vulnerability is present only on Windows Server 2022; other Windows versions are not affected.
  • ·Although Microsoft lists the vulnerability as not requiring authentication, all known exploitation paths require file creation or modification privileges on the NFS share.
  • ·This vulnerability is not exploitable in NFSv2.0 or NFSv3.0; only NFSv4.1 is affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.