CVE-2022-23278: Microsoft Defender for Endpoint Spoofing Vulnerability

Overview

Severity

Medium (CVSS 5.9)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Mar

Released

2022-03-08

Last Updated

2025-07-08

EPSS Score

2.71% (percentile: 85.9%)

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component. How can I verify that the update is installed? Customers wanting to ensure the client has been updated can run the MDE Client Analyzer on the device. When running the analyzer on a Windows device that does not have the security update, the analyzer will present a warning (ID 121035) indicating missing patch and directing to relevant online article. Additionally, if the update is installed, but the Anti-Spoofing capability is not in a stable state, the analyzer will present warning (ID 121036) indicating an issue and providing additional online guidance or callout to reach out to Microsoft support if issue persists. Where can I get more information? For more information, please see the blog post here.

Affected Products (30)

System Center

• Microsoft Defender for Endpoint for Linux
• Microsoft Defender for Endpoint for Mac
• Microsoft Defender for Endpoint for Android
• Microsoft Defender for Endpoint for iOS
• Microsoft Defender for Endpoint for Windows on Windows 10 Version 20H2 for 32-bit Systems
• Microsoft Defender for Endpoint for Windows on Windows 10 Version 1909 for ARM64-based Systems
• Microsoft Defender for Endpoint for Windows on Windows Server, version 20H2 (Server Core Installation)
• Microsoft Defender for Endpoint for Windows on Windows 11 version 21H2 for x64-based Systems
• Microsoft Defender for Endpoint for Windows on Windows 10 Version 21H2 for 32-bit Systems
• Microsoft Defender for Endpoint for Windows on Windows 11 version 21H2 for ARM64-based Systems
• Microsoft Defender for Endpoint for Windows on Windows 10 Version 1909 for x64-based Systems
• Microsoft Defender for Endpoint for Windows on Windows Server 2022
• Microsoft Defender for Endpoint for Windows on Windows Server 2022 Datacenter: Azure Edition
• Microsoft Defender for Endpoint for Windows on Windows 10 Version 1909 for 32-bit Systems
• Microsoft Defender for Endpoint for Windows on Windows 10 Version 21H1 for ARM64-based Systems
• Microsoft Defender for Endpoint for Windows on Windows 10 Version 20H2 for ARM64-based Systems
• Microsoft Defender for Endpoint for Windows on Windows Server 2019 (Server Core installation)
• Microsoft Defender for Endpoint for Windows on Windows 10 Version 21H1 for 32-bit Systems
• Microsoft Defender for Endpoint for Windows on Windows 10 Version 21H2 for x64-based Systems
• Microsoft Defender for Endpoint for Windows on Windows 10 Version 21H2 for ARM64-based Systems
• Microsoft Defender for Endpoint for Windows on Windows Server 2022 (Server Core installation)
• Microsoft Defender for Endpoint for Windows on Windows 10 Version 21H1 for x64-based Systems
• Microsoft Defender for Endpoint for Windows on Windows Server 2019
• Microsoft Defender for Endpoint for Windows on Windows 10 Version 1809 for x64-based Systems
• Microsoft Defender for Endpoint for Windows on Windows 10 Version 1809 for ARM64-based Systems
• Microsoft Defender for Endpoint for Windows on Windows 10 Version 1809 for 32-bit Systems
• Microsoft Defender for Endpoint EDR sensor on Windows Server 2016
• Microsoft Defender for Endpoint EDR sensor on Windows Server 2016 (Server Core installation)
• Microsoft Defender for Endpoint EDR sensor on Windows Server 2012 R2
• Microsoft Defender for Endpoint EDR sensor on Windows Server 2012 R2 (Server Core installation)

Security Updates (8)

• Release Notes
• Release Notes
• 5011487
• 5011485
• 5011493
• 5011497
• 5011503
• Information

Acknowledgments

Gijs Hollestelle with <a href="https://www.falconforce.nl/">FalconForce</a>

Revision History

• 2022-03-08: Information published.
• 2022-03-09: Information added to the Security Updates table for Windows Servers 2012 R2 and 2016. Removed rows for Windows 10, Windows 7, Windows 8.1, and Windows Server 2008 R2. Updated FAQ regarding available security updates. More information regarding Windows Servers 2012 R2 and 2016 is available here: Microsoft Defender for Endpoint update for EDR Sensor.
• 2022-03-28: Added links to updates for Microsoft Defender for Endpoint for iOS and Microsoft Defender for Endpoint for Android. Customers that are running these products should ensure that they have received the updates.
• 2025-07-08: Updated links to security updates. This is an informational change only.