Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses Microsoft’s September 2022 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1021 on Wednesday, September 14th.

In-The-Wild & Disclosed CVEs


The first disclosed vulnerability this month is Spectre-BHB that is discussed in great detail on arm Developer. The Microsoft update for this vulnerability only applies to Windows 11 for ARM64-based systems. It is likely that impacted systems are not widely deployed across most organizations.


A vulnerability in the Windows Common Log File System (CLFS) Driver allows for SYSTEM level code execution when successfully exploited on a system. This local vulnerability has already seen exploitation in-the-wild and was jointly reported by a number of organizations. The update for this vulnerability should be applied as soon as possible due to the active exploitation that is ongoing.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also color coded to aid with identifying key issues.

  • Traditional Software
  • Mobile Software
  • Cloud or Cloud Adjacent
  • Vulnerabilities that are being exploited or that have been disclosed are listed in red
Tag CVE Count CVEs
Windows IKE Extension 3 CVE-2022-34720, CVE-2022-34721, CVE-2022-34722
HTTP.sys 1 CVE-2022-35838
Windows Group Policy 1 CVE-2022-37955
Windows DPAPI (Data Protection Application Programming Interface) 1 CVE-2022-34723

Windows Enterprise App Management

1 CVE-2022-35841
Windows Common Log File System Driver 2 CVE-2022-35803, CVE-2022-37969
Cache Speculation 1 CVE-2022-23960
Microsoft Office SharePoint 4 CVE-2022-35823, CVE-2022-38008, CVE-2022-38009, CVE-2022-37961
Azure Arc 1 CVE-2022-38007
Visual Studio Code 1 CVE-2022-38020
Windows Photo Import API 1 CVE-2022-26928
Microsoft Office Visio 2 CVE-2022-38010, CVE-2022-37963
Microsoft Graphics Component 5 CVE-2022-35837, CVE-2022-34728, CVE-2022-34729, CVE-2022-37954, CVE-2022-38006
SPNEGO Extended Negotiation 1 CVE-2022-37958
Windows Event Tracing 1 CVE-2022-35832
Windows Kernel 3 CVE-2022-37964, CVE-2022-37956, CVE-2022-37957
Network Device Enrollment Service (NDES) 1 CVE-2022-37959
Windows Remote Access Connection Manager 1 CVE-2022-35831
Microsoft Office 1 CVE-2022-37962
Windows Defender 1 CVE-2022-35828
Microsoft Windows Codecs Library 2 CVE-2022-38011, CVE-2022-38019
Windows Remote Procedure Call 1 CVE-2022-35830
Windows ODBC Driver 5 CVE-2022-34726, CVE-2022-34727, CVE-2022-34730, CVE-2022-34732, CVE-2022-34734
.NET Framework 1 CVE-2022-26929
Windows OLE 6 CVE-2022-35834, CVE-2022-35835, CVE-2022-35836, CVE-2022-35840, CVE-2022-34731, CVE-2022-34733
Role: DNS Server 1 CVE-2022-34724
Windows Transport Security Layer (TLS) 2 CVE-2022-30196, CVE-2022-35833
.NET and Visual Studio 1 CVE-2022-38013
Windows TCP/IP 1 CVE-2022-34718
Windows Kerberos 2 CVE-2022-33679, CVE-2022-33647
Windows Credential Roaming Service 1 CVE-2022-30170
Windows Print Spooler Components 1 CVE-2022-38005
Microsoft Edge (Chromium-based) 16

CVE-2022-38012, CVE-2022-3038, CVE-2022-3039, CVE-2022-3040, CVE-2022-3041, CVE-2022-3044, CVE-2022-3045, CVE-2022-3046, CVE-2022-3047, CVE-2022-3053, CVE-2022-3054, CVE-2022-3055, CVE-2022-3056, CVE-2022-3057, CVE-2022-3058, CVE-2022-3075

Microsoft Windows ALPC 1


Role: Windows Fax Service 1


Windows LDAP – Lightweight Directory Access Protocol 1


Microsoft Dynamics 2

CVE-2022-35805, CVE-2022-34700

Other Information

At the time of publication, there were no new advisories included with the September Security Guidance.

cyber ebook