Windows CryptoAPI vulnerability exploit issued

Akamai researchers have developed a proof-of-concept exploit for an already addressed Windows CryptoAPI vulnerability, tracked as CVE-2022-34689, which could be leveraged to impersonate legitimate entities, according to The Record, a news site by cybersecurity firm Recorded Future. Windows has been using CryptoAPI for managing certificates and cryptography-related issues, and exploiting the flaw could facilitate critical security protection bypass, the Akamai report said. "In order to exploit this vulnerability two things need to be true: The machine needs to be missing the Windows patch that was released in August 2022 and the application must use CryptoAPI for certificate verification, and enable a CryptoAPI feature called end certificate caching. This was intended as a performance-boosting feature, but a bug in its implementation causes it to be vulnerable," said Akamai researcher Yoni Rozenshien. Threat actors could also use the flaw to target Google Chrome versions 48 and earlier, as well as older Chromium-based applications, according to researchers, who also found that more than 99% of visible data center devices were vulnerable to attacks.