The National Cyber Security Monitoring Center (NCSC) under AIS has identified five information security vulnerabilities in Microsoft products that can be exploited by hackers to attack information systems in Vietnam.

These are serious vulnerabilities named in Microsoft’s December 2023 patch list, including CVE-2023-36019 in Microsoft Power Platform Connector which allow phishing attacks, leading to remote code execution; and two vulnerabilities CVE-2023-35630 and CVE-2023-35641 in Internet Connection Sharing which allows remote code execution.

The other vulnerabilities include CVE-2023-35628 in Windows MSHTML Platform which allows hackers to carry out remote execution; and Windows MSHTML Platform in Microsoft Outlook which may expose ‘NTML hash’, allowing privilege escalation attacks. 

AIS recommended that agencies, organizations and businesses examine the computers using the operating system of Windows which may be affected, and update the latest patches to avoid being attacked.

In a document released in December 2023 before the 2024 New Year holiday, AIS also urged organizations and businesses to detect vulnerabilities on the information systems under their management, carry out measures to prevent attacks, and fix the vulnerabilities identified by the agency.

AIS emphasized a serious vulnerability in F5 BIG-IP and zero-day in Zimba system, as well as high vulnerabilities in Microsoft products that the agency gave warnings about from May to November 2023.

Every month, AIS releases a report about vulnerabilities and information flaws in the information systems of state agencies, and gives guidance on how to fix them.

AIS found a high number of vulnerabilities in computers of state agencies and organizations in March, September and November 2023: 57,916, 59,935 and 71,998 vulnerabilities, respectively.

Experts said security vulnerabilities are one of the leading reasons causing cyberattacks targeting information systems of organizations and businesses. Serious vulnerabilities, if not handled immediately, will put agencies and organizations at immediate risk of attack.

According to AIS, more than 70 percent of institutions ignore warnings or don’t pay appropriate attention to patching the identified flaws. They pay attention to protecting their information systems from new risks, but don’t think of fixing holes and vulnerabilities that have been identified through warnings issued by authorities.

AIS stressed that in many cases, information systems have been hijacked, but the administrators have not recognized the risk because attackers are still waiting for their chance or are secretly stealing information.

AIS recommended that agencies and businesses prioritize fixing existing and potential problems in their information systems. 

Van Anh