“Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074, CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely in the short term. We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month.”
CVSS Base Score is 9.8, 9.8 and 7.5.
All have potential workarounds that should have a minimal operational impact.
Currently there is no exploit in the wild. If an exploit is published this vulnerability will become critical to mitigate as fast as possible.
We are tracking this internally as BF-VLN-2216447 with the highest priority and is currently evaluating this vulnerability and how to best handle it and ensure operational stability for all our customers.
For further general details we point to the Microsoft Security Response Center blog post about the topic.