CVE-2022-21999
Published: 09 February 2022
Summary
CVE-2022-21999 is a high-severity Path Traversal (CWE-22) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-21999 is an elevation-of-privilege vulnerability in the Windows Print Spooler service. It is tracked under CWE-22 and CWE-59 and carries a CVSS 3.1 base score of 7.8 reflecting local attack vector, low attack complexity, and low privileges required.
An authenticated local attacker can exploit the flaw without user interaction to obtain full control over the affected system, resulting in high impact to confidentiality, integrity, and availability. The vulnerability therefore allows any low-privileged user on a Windows host running the Print Spooler to escalate to SYSTEM-level privileges.
Microsoft’s security update guide provides patches that address the issue, and CISA includes CVE-2022-21999 in its catalog of known exploited vulnerabilities, confirming that the flaw has been observed in active campaigns.
EPSS for the CVE rose sharply from lower values after disclosure to a peak of 0.9684 on 2023-04-08 before receding to the current score of 0.7320, indicating sustained post-disclosure exploitation interest that warrants continued attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-27153
Vulnerability details
Windows Print Spooler Elevation of Privilege Vulnerability
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch that eliminates the Print Spooler EoP flaw.
Enforces least-privilege boundaries so a local account cannot reach SYSTEM via the spooler vulnerability.
Allows disabling or removing the Print Spooler service when not required, eliminating the attack surface.