CVE-2022-26910: Skype for Business and Lync Spoofing Vulnerability

Overview

Severity

Medium (CVSS 5.3)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Apr

Released

2022-04-12

EPSS Score

0.74% (percentile: 73.0%)

FAQ

How could an attacker exploit this vulnerability? An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker.

Affected Products (2)

Microsoft Office

• Skype for Business Server 2015 CU12
• Skype for Business Server 2019 CU6

Security Updates (1)

• 5012686

Acknowledgments

<a href="https://twitter.com/rskvp93">rskvp93</a> with <a href="https://lab.viettelcybersecurity.com/">VCSLAB of Viettel Cyber Security</a>

Revision History

• 2022-04-12: Information published.