CISA 'temporarily' removes Windows vulnerability from its must-patch list

The US Cybersecurity and Infrastructure Security Agency (CISA) has taken the unusual step of removing a bug from its catalog of vulnerabilities that are known to be exploited, and which federal civilian agencies are required to patch within a certain timeframe.  

CISA said it is “temporarily removing”  Microsoft’s May 2022 fix for the security bug CVE-2022-26925 from its Known Exploited Vulnerability Catalog. It said after admins apply Microsoft’s May 10, 2022 rollup security fixes to Windows Servers that are used as domain controllers, there is a risk of authentication failures. CISA removed the vulnerability from its must-patch list on Friday. 

“Microsoft notified CISA of this issue, which is related to how the mapping of certificates to machine accounts is being handled by the domain controller,” it said.

“After installing May 10, 2022 rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP),” CISA explained

This issue only affects the update on Windows Servers used as domain controllers. CISA is still strongly encouraging admins to apply Microsoft’s

Read More: https://www.zdnet.com/article/cisa-temporarily-removes-windows-vulnerability-from-its-must-patch-list/#ftag=RSSbaffb68