Security Advisory 2022-042

Release Date:

Critical Vulnerability in Windows NFS



  • 15/06/2022 --- v1.0 -- Initial publication


On the 14th of June 2022, Microsoft -- as part of the June Patch Tuesday release -- has issued several (55) security fixes for various vulnerabilities. Among others, the update fixes the critical vulnerability CVE-2022-30136 which is a RCE vulnerability in the network file system (NFS). The vulnerability can be exploited by an unauthenticated attacker using a specially crafted call to a NFS service [1]. The vulnerability is not exploitable in NFSV2.0 or NFSV3.0 [2].

There is no evidence that this vulnerability is exploited in the wild. However, it is recommended to patch as soon as possible.

Technical Details

The vulnerability tracked as CVE-2022-30136 (CVSS score: 9.8) affects Windows assets running NFS. This vulnerability is not exploitable in NFSV2.0 or NFSV3.0 [2]. Microsoft has not provided more technical details about this vulnerability at this time.

Affected Products

This vulnerability affects the following Windows products with NFS enabled (also Server Core installation):

  • Windows Server 2012 R2;
  • Windows Server 2012;
  • Windows Server 2016;
  • Windows Server 2019.


CERT-EU recommends to apply the patches provided by Microsoft as soon as possible.


The advisory notes that NFS versions 2.0 and 3.0 are not affected and administrators can disable NFS version 4.1 to mitigate this flaw [2].





We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.