Exchange admins still waiting for zero-day patch
This month's Patch Tuesday from Microsoft hasn't brought relief for MS Exchange admins: the actively exploited zero-days (CVE-2022-41040 and CVE-2022-41082, aka ProxyNotShell) have still not been patched, so administrators will have to follow the latest news on how to mitigate the flaw and manually implement workarounds. Or finally start planning for a long overdue migration to an alternative such as Microsoft Online.
That being said, here's the list of which fixes to prioritize in this release:
Sharepoint on-prem users should patch multiple CVEs: CVE-2022-38053, CVE-2022-41036, CVE-2022-41037 and CVE-2022-41038. These are remote code execution vulnerabilities requiring an authenticated user. However, since Sharepoint is usually a publicly exposed service and stolen credentials are often part of an attack, these vulnerabilities should be taken seriously. Sharepoint exploits are routinely being used by attackers to gain initial access to organizational networks.
One vulnerability is marked as being exploited in the wild: CVE-2022-41033 Windows COM+ Event System Service elevation of privilege vulnerability. It is not clear which threat actors are using it, but since exploitation requires local access to a Windows client or server, it's probably used once an attacker has already a foothold on the operating system.
CVE-2022-37976 Active Directory Certificate Services elevation of privilege vulnerability: although less likely to be exploited, this one can allow the attacker to gain domain administrator privileges. Ransomware groups often look for vulnerabilities and misconfigurations in Active Directory to spread malicious payloads across an organization's network, so this one should be prioritized.
There is one vulnerability with the highest 10.0 score: CVE-2022-37968. That one affects the Azure Arc-enabled Kubernetes clusters, where an unauthenticated attacker could gain administrative privileges for a cluster. Not many users in the region will use this Azure service (even if they do, chance is they use the auto-update functionality), so probably the impact of this one is low.