Skip to content

Defense Digests

Zero-Click RCE Vulnerability in Windows Systems (CVE-2022-26809)

Dataprise Defense Digest 550x550

Table of content


On Tuesday, April 12th, Microsoft released patches for CVE-2022-26809 – a zero-click exploit targeting Microsoft Remote Procedure Call (RPC) Services – present in various Microsoft Windows and Windows Server Products.

An unauthenticated attacker could leverage this vulnerability to execute malicious code that could provide the attacker with access to the network which could be used to move laterally inside the network. The attacker could compromise the system itself or use it to obtain admin credentials through the exploited machine. While there’s no evidence that this vulnerability is being actively exploited, mitigation procedures are available to prevent a potential attack.

Dataprise Defense Digest

ID: D3-2022-0005-1

Severity: 9.8 (CRITICAL)

Published: April 25th, 2022



Most Microsoft Windows Operating systems are vulnerable, including Windows 7, 8, 10, 11, and Windows Server Systems (2008-2022).
An unauthentic remote attacker could exploit it by sending a specially crafted RPC call to the RPC host. Successful exploitation of this vulnerability could result in remote code execution on the server-side with similar permissions as the RPC service.


RPC (Remote Procedure Call) is a protocol used for applications to communicate via TCP/IP (Transmission Control Protocol/IP Address) and UDP (User Datagram Protocol). RPC is programmed into these applications by run-time libraries like, rpcrt4.dll, and its dependencies. According to the company “Akamai”, if Windows systems have not received April’s security patches, they most likely have the vulnerability present in the library. This vulnerability exists in the function “OSF_SCALL:GetCoalescedBuffer”, where a buffer is called and integer(s) are written to it. However, the buffer is too small to accommodate this data, which causes a buffer overflow or “out-of-bounds” memory issue. These can lead to an RCE (Remote Code Execution), if exploited correctly. Other functions that may have had this issue also include: “OSF_CCALL::ProcessResponse”, and “OSF_CCALL::GetCoalescedBuffer”. In the April patches, this issue is patched, with functions checking if the integer data can fit into the buffer.


  • Make sure to update all Windows systems with the latest patches from April.
  • Make sure SMB port 445 is not public-facing, meaning it should only be able to communicate with other Windows systems inside private networks and not public networks. The reason for this is because this port relies on RPC. Many company networks use this port most notability for shared drives and network drives, and malware authors tend to target this port to move across company networks.




  • Susan Verdin, Cybersecurity Analyst
  • Maximo Bredfeldt, vCISO
  • Stephen Jones, VP Cybersecurity

Recent Tweets


Learn about the latest threats and vulnerabilities with our D3 alerts.

Subscribe to get real-time notifications when a new Dataprise Defense Digest is published.