Cyber Resilience

CVE-2022-22047

HighCISA KEVActive ExploitationEUVD ExploitedLPE

Published: 12 July 2022

Published
12 July 2022
Modified
30 October 2025
KEV Added
12 July 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0120 79.3th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22047 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 20.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2022-22047 is an elevation-of-privilege vulnerability in the Windows Client Server Run-time Subsystem (CSRSS) that carries a CVSS 3.1 score of 7.8. The flaw is classified under CWE-426 and affects the CSRSS component responsible for managing Windows console sessions and related runtime services. It was publicly disclosed on 12 July 2022.

A local attacker who already possesses a low-privileged user account on an affected Windows system can exploit the weakness without user interaction. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability on the host, effectively allowing transition from a standard user to SYSTEM-level privileges.

Microsoft’s security update guide provides patches that address the issue, and the vulnerability appears in CISA’s catalog of known exploited vulnerabilities, confirming that remediation should be prioritized through the supplied updates.

EPSS scores have remained low, with a recorded peak of 0.0150 and a current value of 0.0120, indicating limited observed exploitation interest after disclosure.

EU & UK References

Vulnerability details

Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability

CWE(s)
KEV Date Added
12 July 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.19360
microsoft
windows 10 1607
≤ 10.0.14393.5246
microsoft
windows 10 1809
≤ 10.0.17763.3165
microsoft
windows 10 20h2
≤ 10.0.19042.1826
microsoft
windows 10 21h1
≤ 10.0.19043.1826
microsoft
windows 10 21h2
≤ 10.0.19044.1826
microsoft
windows 11 21h2
≤ 10.0.22000.795
microsoft
windows 7
all versions
microsoft
windows 8.1
all versions
microsoft
windows rt 8.1
all versions
+6 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches that remediate the CSRSS untrusted search path flaw before local exploitation can succeed.

preventdetect

Requires integrity verification of system executables and libraries, blocking or alerting on untrusted search-path loading used by this EoP attack.

prevent

Enforces least-privilege execution so that even a successful CSRSS search-path escalation cannot immediately yield full system control.

References