Cyber Resilience

CVE-2022-21999

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 09 February 2022

Published
09 February 2022
Modified
30 October 2025
KEV Added
25 March 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7320 98.8th percentile
Risk Priority 80 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-21999 is a high-severity Path Traversal (CWE-22) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-21999 is an elevation-of-privilege vulnerability in the Windows Print Spooler service. It is tracked under CWE-22 and CWE-59 and carries a CVSS 3.1 base score of 7.8 reflecting local attack vector, low attack complexity, and low privileges required.

An authenticated local attacker can exploit the flaw without user interaction to obtain full control over the affected system, resulting in high impact to confidentiality, integrity, and availability. The vulnerability therefore allows any low-privileged user on a Windows host running the Print Spooler to escalate to SYSTEM-level privileges.

Microsoft’s security update guide provides patches that address the issue, and CISA includes CVE-2022-21999 in its catalog of known exploited vulnerabilities, confirming that the flaw has been observed in active campaigns.

EPSS for the CVE rose sharply from lower values after disclosure to a peak of 0.9684 on 2023-04-08 before receding to the current score of 0.7320, indicating sustained post-disclosure exploitation interest that warrants continued attention.

EU & UK References

Vulnerability details

Windows Print Spooler Elevation of Privilege Vulnerability

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.19204
microsoft
windows 10 1607
≤ 10.0.14393.4946
microsoft
windows 10 1809
≤ 10.0.17763.2565
microsoft
windows 10 1909
≤ 10.0.18363.2094
microsoft
windows 10 20h2
≤ 10.0.19042.1526
microsoft
windows 10 21h1
≤ 10.0.19043.1526
microsoft
windows 10 21h2
≤ 10.0.19044.1526
microsoft
windows 11 21h2
≤ 10.0.22000.493
microsoft
windows 7
all versions
microsoft
windows 8.1
all versions
+7 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch that eliminates the Print Spooler EoP flaw.

prevent

Enforces least-privilege boundaries so a local account cannot reach SYSTEM via the spooler vulnerability.

prevent

Allows disabling or removing the Print Spooler service when not required, eliminating the attack surface.

References