--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical Vulnerability in Windows NFS' version: '1.0' number: '2022-042' original_date: 'June 14, 2022' date: 'June 15, 2022' --- _History:_ * _15/06/2022 --- v1.0 -- Initial publication_ # Summary On the 14th of June 2022, Microsoft -- as part of the June Patch Tuesday release -- has issued several (55) security fixes for various vulnerabilities. Among others, the update fixes the **critical vulnerability** `CVE-2022-30136` which is a RCE vulnerability in the network file system (NFS). The vulnerability can be exploited by an **unauthenticated attacker** using a specially crafted call to a NFS service [1]. The vulnerability is not exploitable in NFSV2.0 or NFSV3.0 [2]. There is no evidence that this vulnerability is exploited in the wild. However, it is recommended to patch as soon as possible. # Technical Details The vulnerability tracked as `CVE-2022-30136` (CVSS score: 9.8) affects Windows assets running NFS. This vulnerability is not exploitable in NFSV2.0 or NFSV3.0 [2]. Microsoft has not provided more technical details about this vulnerability at this time. # Affected Products This vulnerability affects the following Windows products with NFS enabled (also Server Core installation): - Windows Server 2012 R2; - Windows Server 2012; - Windows Server 2016; - Windows Server 2019. # Recommendations CERT-EU recommends to apply the patches provided by Microsoft as soon as possible. ## Mitigations The advisory notes that NFS versions 2.0 and 3.0 are not affected and administrators can disable NFS version 4.1 to mitigate this flaw [2]. # References [1] [2] [3]