Microsoft discovered a new zero-day vulnerability in Windows products and released a patch. The vulnerability lets attackers with a foothold already established on a targeted system run code with SYSTEM privileges. After the discovery, CISA updated its Known Exploited Vulnerabilities Catalog with the addition of CVE-2022-22047 and specified the due time for remediation as August 2.
The vulnerability, labeled CVE-2022-22047, affects CSRSS (Windows Client Server Runtime Subsystem) and is an elevation of privileges vulnerability. It has a CVSS score of 7.8.
Affected product versions are listed below:
- Windows 7, 8.1, 10, 11
- Windows Server 2008, 2012, 2016, 2019, 2022
Patch Is Available
An attacker would need advanced local or physical access to the targeted machine to exploit this vulnerability, meaning the vulnerability can’t be exploited remotely unless the attacker has already infected a computer system with malware. However, a patch is available (July 2022 releases); thus, the risk is medium.
Despite the vulnerability being actively exploited, there is no known public proof-of-concept that can be used to help minimize attacks, according to cyberthreat intelligence analyst Nicole Hoffman.
Although CVE-2022-2247 is difficult to exploit and the availability of patches reduces the risk, cybersecurity researchers underline that privilege escalation vulnerabilities are dangerous. Threat actors take advantage of such vulnerabilities to move from initial access to lateral movement in many attack scenarios.
July 2022 Patch Tuesday Security Updates
Microsoft fixed 83 more CVEs in its July 2022 Security Updates, four of which were considered critical:
- CVE-2022-22038 (Remote Procedure Call Runtime RCE Vulnerability)
- CVE-2022-22028 (NFS Information Disclosure Vulnerability)
- CVE-2022-22029 (NFS RCE Vulnerability)
- CVE-2022-22039 (NFS RCE Vulnerability)