Microsoft’s May 2022 Patch Tuesday Addresses 73 CVEs

On May 10, Microsoft released its May 2022 Patch Tuesday release which patched 73 CVEs, six rated as critical, 66 rated as important and one rated as low severity.

Microsoft patched CVE-2022-26925, a Windows Local Security Authority (LSA) spoofing vulnerability that received a CVSSv3 score of 8.1. According to the advisory from Microsoft, it has been exploited in the wild as a zero-day. An unauthenticated attacker could coerce domain controllers to authenticate to an attacker-controller server using NTLM. Microsoft recommends that organizations prioritize patching domain controllers for this vulnerability.  

This month’s update includes patches for:

• .NET and Visual Studio
• Microsoft Exchange Server
• Microsoft Graphics Component
• Microsoft Local Security Authority Server (lsasrv)
• Microsoft Office
• Microsoft Office Excel
• Microsoft Office SharePoint
• Microsoft Windows ALPC
• Remote Desktop Client
• Role: Windows Fax Service
• Role: Windows Hyper-V
• Self-hosted Integration Runtime
• Tablet Windows User Interface
• Visual Studio
• Visual Studio Code
• Windows Active Directory
• Windows Address Book
• Windows Authentication Methods
• Windows BitLocker
• Windows Cluster Shared Volume (CSV)
• Windows Failover Cluster Automation Server
• Windows Kerberos
• Windows Kernel
• Windows LDAP - Lightweight Directory Access Protocol
• Windows Media
• Windows Network File System
• Windows NTFS
• Windows Point-to-Point Tunneling Protocol
• Windows Print Spooler Components
• Windows Push Notifications
• Windows Remote Access Connection Manager
• Windows Remote Desktop
• Windows Remote Procedure Call Runtime
• Windows Server Service
• Windows Storage Spaces Controller
• Windows WLAN Auto Config Service

For more information, please visit our blog post.