Find Windows Devices with Routinely Exploited Vulnerabilities
CISA recently their list of frequently exploited vulnerabilities from the last few years. Some of which even date back to 2012! To ensure that your network doesn't isn't vulnerable to any of these exploited vulnerabilities, we've created a special audit that gives an overview of all your machines and whether they are at risk or not. In most cases, simply applying the latest Microsoft updates will easily resolve the issue, so you can also use the Patch Tuesday reports to double-check whether you have the latest patches installed.
The audit below covers the following vulnerabilities: CVE-2017-11882, CVE-2017-0199, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759 and CVE-2015-1641. You can read our dedicated blog post on the top 8 most exploited vulnerabilities here to find more info.
Run the audit below to check if you still have any devices that remain unpatched or might be vulnerable to exploitation of the mentioned vulnerabilities. For the most accurate results, be sure to rescan your environment before running the report.
Routinely Exploited Vulnerabilities Query
Select Distinct Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tsysAssetTypes.AssetTypename As AssetType,
tblAssets.Username,
tblAssets.Userdomain,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblAssets.IPAddress,
CVE11882.[CVE-2017-11882 Status],
CVE0199.[CVE-2017-0199 Status],
CVE0158.[CVE-2012-0158 Status],
CVE0604.[CVE-2019-0604 Status],
Case
When Max(PatchTuesday.KbNumber) >= 4016871 Then 'Safe'
Else 'At risk'
End As [CVE-2017-0143 Status],
AdobeVersions.AdobeStatus As [CVE-2018-4878 Status],
Case
When Max(PatchTuesday.KbNumber) >= 4038777 Then 'Safe'
Else 'At risk'
End As [CVE-2017-8759 Status],
CVE1641.[CVE-2015-1641 Status],
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.SP,
tblAssets.Lastseen,
tblAssets.Lasttried
From tblAssets
Left Join (Select Top 1000000 tblAssets.AssetID,
Convert(bigint,Replace(tblQuickFixEngineeringUni.HotFixID, 'KB',
'')) As KbNumber
From tblAssets
Inner Join tblQuickFixEngineering On tblAssets.AssetID =
tblQuickFixEngineering.AssetID
Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
= tblQuickFixEngineering.QFEID
Where tblQuickFixEngineeringUni.HotFixID Like 'KB_______') As PatchTuesday
On PatchTuesday.AssetID = tblAssets.AssetID
Left Join (Select Top 1000000 tblSoftware.AssetID,
Case
When Cast(SubString(tblSoftware.softwareVersion, 0, CharIndex('.',
tblSoftware.softwareVersion)) As INT) > 26 And
tblSoftwareUni.softwareName Like '%Adobe Flash Player%' Then 'Safe'
When Cast(SubString(tblSoftware.softwareVersion, 0, CharIndex('.',
tblSoftware.softwareVersion)) As INT) <= 26 And
tblSoftwareUni.softwareName Like '%Adobe Flash Player%' Then
'At risk'
End As AdobeStatus
From tblSoftware
Inner Join tblSoftwareUni On tblSoftware.softID = tblSoftwareUni.SoftID
Where tblSoftwareUni.softwareName Like '%Adobe Flash Player%') As
AdobeVersions On AdobeVersions.AssetID = tblAssets.AssetID
Left Join (Select tblAssets.AssetID,
Case
When Max(Convert(bigint,Replace(tblQuickFixEngineeringUni.HotFixID,
'KB', ''))) >= 4048952 Then 'Safe'
Else 'At risk'
End As [CVE-2017-11882 Status]
From tblAssets
Inner Join tblQuickFixEngineering On tblAssets.AssetID =
tblQuickFixEngineering.AssetID
Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
= tblQuickFixEngineering.QFEID
Inner Join tblSoftware On tblAssets.AssetID = tblSoftware.AssetID
Inner Join tblSoftwareUni On tblSoftwareUni.SoftID = tblSoftware.softID
Where tblQuickFixEngineeringUni.HotFixID Like 'KB_______' And
(tblSoftwareUni.softwareName Like 'Microsoft Office%2016%' Or
tblSoftwareUni.softwareName Like 'Microsoft Office%2013%' Or
tblSoftwareUni.softwareName Like 'Microsoft Office%2010%' Or
tblSoftwareUni.softwareName Like 'Microsoft Office%2007%')
Group By tblAssets.AssetID) As CVE11882 On CVE11882.AssetID =
tblAssets.AssetID
Left Join (Select tblAssets.AssetID,
Case
When Max(Convert(bigint,Replace(tblQuickFixEngineeringUni.HotFixID,
'KB', ''))) >= 4015219 Then 'Safe'
Else 'At risk'
End As [CVE-2017-0199 Status]
From tblAssets
Inner Join tblQuickFixEngineering On tblAssets.AssetID =
tblQuickFixEngineering.AssetID
Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
= tblQuickFixEngineering.QFEID
Inner Join tblSoftware On tblAssets.AssetID = tblSoftware.AssetID
Inner Join tblSoftwareUni On tblSoftwareUni.SoftID = tblSoftware.softID
Where tblQuickFixEngineeringUni.HotFixID Like 'KB_______' And
(tblSoftwareUni.softwareName Like 'Microsoft Office%2016%' Or
tblSoftwareUni.softwareName Like 'Microsoft Office%2013%' Or
tblSoftwareUni.softwareName Like 'Microsoft Office%2010%' Or
tblSoftwareUni.softwareName Like 'Microsoft Office%2007%')
Group By tblAssets.AssetID) As CVE0199 On CVE0199.AssetID =
tblAssets.AssetID
Left Join (Select tblAssets.AssetID,
Case
When Max(Convert(bigint,Replace(tblQuickFixEngineeringUni.HotFixID,
'KB', ''))) >= 2597112 Then 'Safe'
Else 'At risk'
End As [CVE-2012-0158 Status]
From tblAssets
Inner Join tblQuickFixEngineering On tblAssets.AssetID =
tblQuickFixEngineering.AssetID
Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
= tblQuickFixEngineering.QFEID
Inner Join tblSoftware On tblAssets.AssetID = tblSoftware.AssetID
Inner Join tblSoftwareUni On tblSoftwareUni.SoftID = tblSoftware.softID
Where tblQuickFixEngineeringUni.HotFixID Like 'KB_______' And
(tblSoftwareUni.softwareName Like 'Microsoft Office%2003%' Or
tblSoftwareUni.softwareName Like 'Microsoft Office%2010%' Or
tblSoftwareUni.softwareName Like 'Microsoft Office%2007%')
Group By tblAssets.AssetID) As CVE0158 On CVE0158.AssetID =
tblAssets.AssetID
Left Join (Select tblAssets.AssetID,
Case
When Max(Convert(bigint,Replace(tblQuickFixEngineeringUni.HotFixID,
'KB', ''))) >= 4489871 Then 'Safe'
Else 'At risk'
End As [CVE-2019-0604 Status]
From tblAssets
Inner Join tblQuickFixEngineering On tblAssets.AssetID =
tblQuickFixEngineering.AssetID
Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
= tblQuickFixEngineering.QFEID
Inner Join tblSoftware On tblAssets.AssetID = tblSoftware.AssetID
Inner Join tblSoftwareUni On tblSoftwareUni.SoftID = tblSoftware.softID
Where tblQuickFixEngineeringUni.HotFixID Like 'KB_______' And
tblSoftwareUni.softwareName Like '%Sharepoint%'
Group By tblAssets.AssetID) As CVE0604 On CVE0604.AssetID =
tblAssets.AssetID
Left Join (Select tblAssets.AssetID,
Case
When Max(Convert(bigint,Replace(tblQuickFixEngineeringUni.HotFixID,
'KB', ''))) >= 2553164 Then 'Safe'
Else 'At risk'
End As [CVE-2015-1641 Status]
From tblAssets
Inner Join tblQuickFixEngineering On tblAssets.AssetID =
tblQuickFixEngineering.AssetID
Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
= tblQuickFixEngineering.QFEID
Inner Join tblSoftware On tblAssets.AssetID = tblSoftware.AssetID
Inner Join tblSoftwareUni On tblSoftwareUni.SoftID = tblSoftware.softID
Where tblQuickFixEngineeringUni.HotFixID Like 'KB_______' And
(tblSoftwareUni.softwareName Like 'Microsoft Office%2013%' Or
tblSoftwareUni.softwareName Like 'Microsoft Office%2010%' Or
tblSoftwareUni.softwareName Like 'Microsoft Office%2007%' Or
tblSoftwareUni.softwareName Like '%Sharepoint%2010%' Or
tblSoftwareUni.softwareName Like '%Sharepoint%2013%' Or
tblSoftwareUni.softwareName Like '%Office%Web%Apps%2010%' Or
tblSoftwareUni.softwareName Like '%Office%Web%Apps%2013%')
Group By tblAssets.AssetID) As CVE1641 On CVE1641.AssetID =
tblAssets.AssetID
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblSoftware On tblAssets.AssetID = tblSoftware.AssetID
Inner Join tblSoftwareUni On tblSoftwareUni.SoftID = tblSoftware.softID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tblState On tblState.State = tblAssetCustom.State
Group By tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tsysAssetTypes.AssetTypename,
tblAssets.Username,
tblAssets.Userdomain,
tsysAssetTypes.AssetTypeIcon10,
tblAssets.IPAddress,
CVE11882.[CVE-2017-11882 Status],
CVE0199.[CVE-2017-0199 Status],
CVE0158.[CVE-2012-0158 Status],
CVE0604.[CVE-2019-0604 Status],
AdobeVersions.AdobeStatus,
CVE1641.[CVE-2015-1641 Status],
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname,
tblAssets.SP,
tblAssets.Lastseen,
tblAssets.Lasttried,
tblSoftwareUni.softwareName,
tblSoftware.softwareVersion
