CVE-2022-37958: FAQ for Critical Microsoft SPNEGO NEGOEX Vulnerability

CVE-2022-37958: FAQ for Critical Microsoft SPNEGO NEGOEX Vulnerability

Microsoft recently reclassified a vulnerability in SPNEGO NEGOEX, originally patched in September, after a security researcher discovered that it can lead to remote code execution. Organizations are urged to apply these patches as soon as possible.

Frequently Asked Questions (FAQ) about CVE-2022-37958

What is CVE-2022-37958?

CVE-2022-37958 is a remote code execution (RCE) vulnerability in the SPNEGO NEGOEX protocol of Windows operating systems, which supports authentication in applications.


SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism and is an internet standard for negotiating which Generic Security Service Application Program Interface (GSSAPI) technology is used for authentication between a client and server.

NEGOEX is an extended negotiation mechanism for SPNEGO (SPNEGO NEGOEX) intended to enhance SPNEGO by addressing some of the drawbacks of SPNEGO while adding new GSSAPI extensions. More details about SPNEGO NEGOEX can be found here.

What protocols use SPNEGO NEGOEX?

Both Server Message Block (SMB) and Remote Desktop Protocol use NEGOEX for authentication by default, while Simple Mail Transfer Protocol (SMTP) and HTTP can be configured to do so. Please note that this is not an exhaustive list of protocols that use or can be configured to use SPNEGO NEGOEX.

When was this vulnerability patched?

Microsoft patched CVE-2022-37958 as part of its September 2022 Patch Tuesday release.

Wasn’t CVE-2022-37958 classified differently in September?

Yes, it was originally classified as an information disclosure vulnerability and assigned a CVSSv3 score of 7.5 and a severity rating of High.

Why did its classification change?

Valentina Palmiotti, a security researcher on IBM Security’s X-Force Red team discovered that CVE-2022-37958 could lead to RCE. Microsoft re-evaluated the vulnerability and changed its classification from Information Disclosure to RCE, its severity to Critical and assigned a CVSSv3 score of 8.1 as part of its December 2022 Patch Tuesday release.

Is CVE-2022-37958 wormable?

According to IBM Security X-Force Red, it “has the potential to be wormable.”

Is CVE-2022-37958 more severe than EternalBlue (CVE-2017-0144)?

Possibly, based on the fact that SPNEGO NEGOEX affects multiple protocols, while EternalBlue affects only SMBv1.

My organization already applied the September 2022 Patch Tuesday updates. Are we still vulnerable?

No. Microsoft only made informational changes to CVE-2022-37958 as part of the December 2022 Patch Tuesday release. As long as organizations have applied the September 2022 Patch Tuesday updates, they are protected against CVE-2022-37958.

Has CVE-2022-37958 been exploited in the wild?

There are no reports of confirmed in-the-wild exploitation for CVE-2022-37958 at the time this blog post was released.

Is there a proof-of-concept (PoC) for CVE-2022-37958?

At the time this blog was published, no PoC exploit code had been released for CVE-2022-37958. IBM said it plans to release full technical details for this flaw in Q2 2023, which may include a PoC.

Does Tenable have product coverage for CVE-2022-37958?

Yes, we have published several plugins for CVE-2022-37958 as part of the September 2022 Patch Tuesday release:

Plugin ID
KB5017308: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (September 2022)
KB5017305: Windows 10 Version 1607 and Windows Server 2016 Security Update (September 2022)
KB5017315: Windows 10 version 1809 / Windows Server 2019 Security Update (September 2022)
KB5017328: Windows 11 Security Update (September 2022)
KB5017392: Windows Server 2022 Security Update (September 2022)
KB5017373: Windows Server 2008 R2 Security Update (September 2022)
KB5017365: Windows Server 2012 R2 Security Update (September 2022)
KB5017327: Windows 10 LTS 1507 Security Update (September 2022)
KB5017377: Windows Server 2012 Security Update (September 2022)

Additional product coverage for CVE-29022-37958 will appear here as it’s released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

IBM Security X-Force Red Blog on Critical RCE in SPNEGO NEGOEX (CVE-2022-37958)

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

   Cyber Exposure Alerts 


More To Explore

Red Hat Security Advisory 2023-3304-01

Red Hat Security Advisory 2023-3304-01 – Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private

We can help improve your Business

Ensure your Organization Assets are well  protected in front of the Cyber Attacks

Delivery Workflow

Register for Free and get your test done withn 24 to 48 hours

See Workflow

Sample Report

Here is a sample report of a Security Testing Engagement

See Sample Report PDF

Work Request

Order your security test and Get Your Report

Get Your Test Report
Generated by Feedzy

1. Client Onboarding

Access to all of Cyber Legion's services is provided through the Web Secure Client Portal. To create a Free account, you can sign up through the portal, or contact the Cyber Legion team and they will set up an account for you.

2. NDA , Agreements & Digital Signature

The integration of Digital Signature in our Web Client Portal allows us to legally sign all necessary documents and agreements, enabling us to carry out security assessments on targeted systems.

3. Submit Work Request

Our pricing structure is adaptable to meet the needs of all clients. By filling out the Work Request Form, you can select from pre-existing services or request a personalized proposal.

The Cyber Legion team will acknowledge your order, set up a project in your account, and proceed with the testing and delivery.

4. Security Testing & Report

We meet agreed upon SLAs and follow security testing framework checklists. Based on our commitment, our team of engineers will utilize all of our tools, automation, and testing capabilities to achieve the objectives.

Within the agreed upon timeframe, you will receive a report on the security test that was conducted, including the results, recommendations, and references for addressing any identified issues.

5. Retesting & Validation of Remediation

We not only identify potential threats, risks, and vulnerabilities, but also provide detailed recommendations for resolution. To ensure complete remediation, we offer complimentary retesting and a range of ongoing security testing options for continued vulnerability detection and verification.