CVE-2022-37965
Published: 11 October 2022
Summary
CVE-2022-37965 is a medium-severity an unspecified weakness vulnerability in Microsoft Windows 10. Its CVSS base score is 5.9 (Medium).
Operationally, ranked in the top 8.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-37965 is a denial-of-service vulnerability in the Windows Point-to-Point Tunneling Protocol (PPTP) implementation. It affects the PPTP network component on supported Windows systems and carries a CVSS 3.1 base score of 5.9 reflecting high attack complexity but no privileges or user interaction required.
An unauthenticated remote attacker can trigger the flaw over the network to cause the affected PPTP service to stop responding, resulting in loss of availability for VPN connections that rely on the protocol. The attack vector requires the target to accept PPTP traffic and involves conditions that raise the complexity of successful exploitation.
Microsoft has published official guidance for the issue in its Security Update Guide and the Microsoft Security Response Center advisory portal, directing administrators to the relevant patches and configuration recommendations for affected Windows releases. The associated EPSS score has remained low and essentially flat since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-40572
Vulnerability details
Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.