article featured image


Microsoft announced the information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958) had been patched in September 2022. Lately, cyber researchers discovered, and notified them, that the vulnerability permits threat actors to remotely execute code.

As a result, on December 13th, Microsoft reclassified the vulnerability as “Critical” severity. Researchers warn that the patch should be applied as soon as possible on systems using the default configuration.

The SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which enables a client and server to agree on which security mechanism to deploy, was found vulnerable. A pre-authentication remote code execution vulnerability affects a large number of protocols and is potentially wormable.

Due to this vulnerability, threat actors could remotely execute code by using the NEGOEX protocol via any Windows application protocol that authenticates by default. Server Message Block (SMB), Remote Desktop Protocol (RDP), Hyper Text Transfer Protocol (HTTP), and Simple Message Transport Protocol (SMTP) could all be in the case.

Why Is the SPNEGO Vulnerability a Great Cybersecurity Risk?

SPNEGO is widely used by users and administrators around the world and researchers say that:

There is no need for a victim to interact with a target system or authenticate themselves prior to being exposed to this vulnerability.


As the CVE-2017-0144 vulnerability that EternalBlue exploited for the WannaCry ransomware attacks only impacted the SMB protocol, researchers claim that the CVE-2022-37958 vulnerability is even more dangerous. The SPNEGO vulnerability can affect a wider number of Windows systems since it can also affect HTTP, RDP, and SMB.

What Can You Do to Keep Safe?

The vulnerability was fixed and made available in the September 2022 security update. It works on all OS, starting with Windows 7 and you should apply the patch as soon as you can.

Researchers advise further that you review the services exposed to the internet, like SMB and RDP. You should also continuously monitor the attack surface of your company and make sure that Kerberos or Net-NTLM are your only Windows authentication providers.

If you can`t apply the patch on your machine, researchers recommend removing “Negotiate” as a default provider, for safety reasons.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.