CVE-2022-22047
Published: 12 July 2022
Summary
CVE-2022-22047 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 20.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2022-22047 is an elevation-of-privilege vulnerability in the Windows Client Server Run-time Subsystem (CSRSS) that carries a CVSS 3.1 score of 7.8. The flaw is classified under CWE-426 and affects the CSRSS component responsible for managing Windows console sessions and related runtime services. It was publicly disclosed on 12 July 2022.
A local attacker who already possesses a low-privileged user account on an affected Windows system can exploit the weakness without user interaction. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability on the host, effectively allowing transition from a standard user to SYSTEM-level privileges.
Microsoft’s security update guide provides patches that address the issue, and the vulnerability appears in CISA’s catalog of known exploited vulnerabilities, confirming that remediation should be prioritized through the supplied updates.
EPSS scores have remained low, with a recorded peak of 0.0150 and a current value of 0.0120, indicating limited observed exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-27201
Vulnerability details
Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability
- CWE(s)
- KEV Date Added
- 12 July 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patches that remediate the CSRSS untrusted search path flaw before local exploitation can succeed.
Requires integrity verification of system executables and libraries, blocking or alerting on untrusted search-path loading used by this EoP attack.
Enforces least-privilege execution so that even a successful CSRSS search-path escalation cannot immediately yield full system control.