Microsoft released April 2022 security updates to fix found vulnerabilities in their software products and features that include, but not limited to:

• Microsoft Exchange Server: 2013, 2016 and 2019

• Microsoft Office: 2013, 2016, 2019, Microsoft 365

• Windows Server: 2012, 2016, 2019, 2022

• Windows OS: 10 and 11

The released security updates fix about 119 vulnerabilities, which include 10 rated as critical and 2 zero-day vulnerabilities. It includes:

• CVE-2022-24521: Windows Common Log File System Driver Elevation of Privilege Vulnerability

• CVE-2022-26904: Windows User Profile Service Elevation of Privilege Vulnerability

• CVE-2022-26809: Remote Procedure Call Runtime Remote Code Execution Vulnerability

• CVE-2022-24497 & CVE-2022-24491: Windows Network File System RCE Vulnerability

Security Risks

If the identified vulnerabilities in Microsoft products are not patched, authenticated attackers can remotely gain control of vulnerable systems and run malicious code with elevated privileges.

For the full list of security patches released by Microsoft, please refer to Microsoft Security Update Guide. 

Recommended Actions

The National Cyber Security Authority (NCSA) recommends users and system administrators to:

1. apply the latest security patches, as soon as possible, to prevent unauthorized control over unpatched systems;

2. upgrade immediately to the latest supported version of installed Microsoft software in order to continue receiving technical support and security patches.

The following Microsoft software products reached their end-of-life and need to be upgraded immediately:

• Internet Explorer;

• Windows XP, 8 and 7;

• Exchange Server 2010;

• and Windows Server 2008, 2008 RE;

   3.  Before any update task, ensure you have backup for your data.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009

References

Release Notes – April 2022

Microsoft Security Update Guide