CVE-2022-33633: Skype for Business and Lync Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.2)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Jul

Released

2022-07-12

EPSS Score

6.30% (percentile: 91.0%)

FAQ

According to the CVSS metric, privileges required is high (PR:H). What privileges are needed by the attacker and how are they used in the context of the remote code execution? To successfully exploit this vulnerability, the attacker must have write access on the file share, and an active file share administrator account on the target server. With write access, the attacker would need to modify specific files on the target server to trigger code execution.

Affected Products (3)

Microsoft Office

• Microsoft Lync Server 2013 CU10
• Skype for Business Server 2015 CU12
• Skype for Business Server 2019 CU6

Security Updates (3)

• 5016714
• 5016714
• 5016714

Acknowledgments

Yiming Xiang with <a href="https://www.nsfocus.cn/">NSFOCUS TIANJI LAB</a>

Revision History

• 2022-07-12: Information published.