Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Intelligence bulletins / November Patch Tuesday


Microsoft has released patches to address 67 vulnerabilities including six they’ve marked as actively exploited zero-days. These include a Windows Scripting remote code execution (RCE), (CVE-2022-41128), a Mark of the Web (MotW) bypass (CVE-2022-41091), an Escalation of Privilege (EoP) in Print Spooler (CVE-2022-41073), an EoP in a Local Security Authority (LSA) cryptography service (CVE-2022-41125), an EoP (CVE-2022-41040) and an RCE (CVE-2022-41082) in Exchange Server.

Another notable vulnerability this month is in Netlogon (CVE-2022-38023) which operates similarly to the Zerologon attack. This one is only rated as High severity due to complexity (the attack requires some information about the network) but exploitation is considered more likely.

In total there are 27 EoPs, 16 RCEs, 11 Information Disclosures, six Denial of Services (DOS), three spoofing instances and four security feature bypasses.


CVE-2022-38023 – A network-based attacker could gain administrator privileges.

CVE-2022-41128 – An attacker could execute code on a vulnerable machine if they were able to entice a user into connecting to a malicious server.

CVE-2022-41091, CVE-2022-41049 (ZippyReads) – An attacker could craft a malicious file which bypasses Microsoft’s MotW protections.

CVE-2022-41073, CVE-2022-41125, CVE-2022-41040 – A local Windows user could gain system-level privileges.

CVE-2022-41082 (ProxyNotShell) – An authenticated, network-based attacker could execute code on a Microsoft Exchange server.

Affected Products

.NET Framework
AMD CPU Branch
Azure Real Time Operating System
Linux Kernel
Microsoft Dynamics
Microsoft Exchange Server
Microsoft Graphics Component
Microsoft Office
Microsoft Office Excel
Microsoft Office SharePoint
Microsoft Office Word
Network Policy Server (NPS)
Open Source Software
Role: Windows Hyper-V
Visual Studio
Windows Advanced Local Procedure Call
Windows ALPC
Windows Bind Filter Driver
Windows BitLocker
Windows CNG Key Isolation Service
Windows Devices Human Interface
Windows Digital Media
Windows DWM Core Library
Windows Extensible File Allocation
Windows Group Policy Preference Client
Windows HTTP.sys
Windows Kerberos
Windows Mark of the Web (MOTW)
Windows Netlogon
Windows Network Address Translation (NAT)
Windows ODBC Driver
Windows Overlay Filter
Windows Point-to-Point Tunneling Protocol
Windows Print Spooler Components
Windows Resilient File System (ReFS)
Windows Scripting
Windows Win32K

Containment, Mitigations & Remediations

Microsoft has written advice for admins about enforcing Netlogon protections.

Indicators of Compromise

ZippyReads in the wild

Mitre Methodologies

T1210  – Exploitation of Remote Services

T1212 – Exploitation for Credential Access

T1068 – Exploitation for Privilege Escalation

Further Information

November 2022 Security Updates


CVE – Common vulnerabilities and exposures (a scheme to categorise and index vulnerabilities)
DoS – Denial of Service (an attack that prevents a service from operating)
EoP – Escalation of Privilege
IoC – Indicator of Compromise (an artifact that can be used to identify malicious activity such as an Internet Protocol (IP) or domain used by an attacker)
LPE – Local Privilege Escalation (allows a user to gain more permissions on a device)
MotW – Mark of the Web (a safety feature to discourage users from running things they’ve just downloaded)
RCE – Remote Code Execution (a hacking tool that allows the attacker to run code on another machine)