Microsoft Warns of New Critical Windows HTTP Vulnerability; Tags It as Wormable

Bitdefender Total Security Antivirus

Yesterday, Microsoft patched a critical vulnerability that affects the latest desktop and server versions of its operating system, including Windows 11 and Windows Server 2022.

Microsoft’s researchers flagged the bug, tracked as CVE-2022-21907, as wormable and addressed it in this month’s Patch Tuesday.

The team discovered the flaw in HTTP.sys (the HTTP Protocol Stack), a protocol listener that lets the Windows IIS (Internet Information Services) server process HTTP requests.

In a successful attack, perpetrators craft and send malicious packets to specific Windows servers that rely on the vulnerable HTTP Protocol Stack to process packets.

Fortunately, the vulnerability doesn’t appear to be actively exploited, and there are no signs of publicly disclosed PoC (Proof of Concept) exploits against it yet.

Additionally, some versions of Windows, including Windows 10 version 1809 and Windows Server 2019, have the vulnerable HTTP Trailer support feature disabled by default. To trigger the vulnerability, Microsoft says that users would need to modify a registry key as follows:


To fend off any attack on the two versions of Windows mentioned above, checking that the HTTP Trailer Support feature is not active should be enough, as the feature is disabled by default by the operating system. Unfortunately, this workaround doesn’t apply to other vulnerable versions of Windows.

The consensus seems to be that home users are more likely to be affected by CVE-2022-21907 exploits, as opposed to companies and organizations that don’t necessarily run the latest Windows releases. However, applying the security patches from this month’s Patch Tuesday should keep these attacks at bay.

Last but not least, Microsoft recommends users prioritize applying the latest security patches on all impacted systems. Left unpatched, the flaw could enable unauthorized threat actors to perform low complexity attacks through remote arbitrary code execution, often without required user interaction.