Cybersecurity firm warns of actively exploited Windows IKE RCE (CVE-2022-34721) flaw

An external threat landscape management platform company, Cyfirma last Friday issued a bulletin warning of a critical vulnerability affecting Windows systems that is currently being actively exploited in the wild.

The flaw, tracked as CVE-2022-34721 (CVSS score: 9.8), is a flaw in the Internet Key Exchange (IKE) Protocol Extensions component that could lead to arbitrary remote code execution (RCE). By sending a specially crafted IP packet to a Windows node where IPSec is enabled, an attacker could exploit this vulnerability to execute arbitrary code on the system.

“CYFIRMA research observed campaign “ 流血你” translating to “bleed you” suspected to be launched on 6 September 2022 targeting weak/vulnerable Windows OS, Windows Servers, Windows protocols, and services. The Unknown Chinese Threat Actors identified these systems are running weak/vulnerable, which could be exploited using existing exploits,” the company wrote.

“As part of the campaign, we also noticed Chinese threat actors potentially colluding with Russian cybercriminals. From a strategic viewpoint on changing geopolitical scenarios from external threat landscape management, Russia and China are observed to form a strategic relationship.”

In September, 78ResearchLab publicly released the PoC code for this flaw on GitHub and published the analysis report.

CYFIRMA has found almost 1,000+ systems that are vulnerable to this flaw. The campaign is targeting organizations in retail, industrial conglomerates, government, financial services, IT services, and e-commerce industries in the U.S., the U.K, Australia, Canada, France, Germany, Turkey, Japan, India, UAE, and Israel.

Microsoft released a patch for the vulnerability on Tuesday patch in the September security bulletin. Users are advised to patch the vulnerability as per the Microsoft advisory as soon as possible.