Wormable Windows Vulnerability (CVE-2022-21907) Patched by Microsoft


UPDATE January 13 2022: Protection section has been updated with a IPS signature information.

FortiGuard Labs is aware that a total of 96 vulnerabilities were patched by Microsoft on January 11th, 2022 as part of regular MS Patch Tuesday. In those vulnerabilities, CVE-2022-21907 (HTTP Protocol Stack Remote Code Execution Vulnerability) is one of the nine vulnerabilities that are rated critical. In the advisory, Microsoft warned that CVE-2022-21907 is wormable and "recommends prioritizing the patching of affected servers".

Why is this Significant?

This is significant because CVE-2022-21907 is considered wormable as such malware can exploit the vulnerability to self-propagate without any user interaction nor elevated privilege. CVE-2022-21907 targets the HTTP trailer support feature that is enabled by default in various Windows 10 and 11 versions, as well as Windows Server 2022. The vulnerability also has a CVSS score of 9.8 (max score 10).

What is CVE-2022-21907?

CVE-2022-21907 is a remote code execution vulnerability in HTTP protocol stack (http.sys). HTTP.sys is a legitimate Windows component that is responsible for parsing HTTP requests. An unauthenticated attacker could craft and send a malicous packet to an affected server utilizing the HTTP Protocol Stack (http.sys) to process packets, which leads to remote code execution.

Which Versions of Windows are Vulnerable?

Per the Microsoft advisory, the following Windows versions are vulnerable:

  • Windows Server 2019
  • Windows Server 2022
  • Windows 10
  • Windows 11

Note that the HTTP trailer support feature is inactive by default in Windows Server 2019 and Windows 10 version 1809. As such, they are not vulnerable unless the feature is enabled.

Is the Vulnerability Exploited in the Wild?

FortiGuard Labs is not aware of CVE-2022-21907 being exploited in the wild at the time of this writing.

Has the Vendor Released a Fix?

Yes. Microsoft released a fix for CVE-2022-21907 on January 11th, 2022 as part of regular Patch Tuesday.

What is the Status of Coverage? (Updated January 13 2022)

FortiGuard Labs has released the following IPS signature in version 19.241:

MS.Windows.HTTP.Protocol.Stack.CVE-2022-21907.Code.Execution (default action is set to pass)

Any Mitigation?

Microsoft provided the following mitigation in the advisory:

In Windows Server 2019 and Windows 10 version 1809, the the HTTP Trailer Support feature that contains the vulnerability is not active by default. The following registry key must be configured to introduce the vulnerable condition:


This mitigation does not apply to the other affected versions.

description-logoOutbreak Alert

Microsoft's January 2022 Patch Tuesday contains updates on 97 security vulnerabilities, one of which is CVE-2022-21907 rated with 9.8 and can lead to a remote code execution.

View the full Outbreak Alert Report