CVE-2022-21907
📋 TL;DR
CVE-2022-21907 is a critical remote code execution vulnerability in the Windows HTTP Protocol Stack (http.sys) that allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges by sending specially crafted packets. This affects Windows servers and workstations running the HTTP Protocol Stack. The vulnerability is wormable and can be exploited without user interaction.
💻 Affected Systems
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows 11
- Windows 10
📦 What is this software?
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 11 by Microsoft
Windows 11 by Microsoft
Windows Server by Microsoft
Windows Server by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to ransomware deployment, data exfiltration, or creation of a persistent backdoor with SYSTEM privileges across the network.
Likely Case
Denial of service (system crash/BSOD) or remote code execution leading to malware installation, credential theft, and lateral movement.
If Mitigated
Limited impact if systems are patched, firewalled, or running non-vulnerable configurations; potential DoS still possible.
🎯 Exploit Status
Exploit code is publicly available; attacks have been observed in the wild. The vulnerability is in the HTTP/2 protocol handling within http.sys.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: January 2022 security updates (e.g., KB5009557 for Windows 10 20H2)
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21907
Restart Required: Yes
Instructions:
1. Apply the January 2022 Windows security updates from Microsoft Update. 2. Restart the system to complete the installation. 3. Verify the patch is applied using Windows Update history or system information.
🔧 Temporary Workarounds
Disable HTTP/2 protocol
windowsDisables HTTP/2 in the HTTP Protocol Stack to mitigate the vulnerability, but may affect performance for HTTP/2 traffic.
netsh http add iplisten ipaddress=::
netsh http delete iplisten ipaddress=::
Block HTTP/2 traffic at network perimeter
allUse firewalls or network devices to block or inspect HTTP/2 traffic to vulnerable systems.
🧯 If You Can't Patch
- Isolate affected systems from untrusted networks using firewalls or network segmentation.
- Monitor for exploitation attempts via network traffic analysis and system logs.
🔍 How to Verify
Check if Vulnerable:
Check if the system is running an affected Windows version and has HTTP Protocol Stack enabled (e.g., via 'netsh http show servicestate').Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify the January 2022 security update is installed using 'systeminfo' or Windows Update history, and check that http.sys version is patched.📡 Detection & Monitoring
Log Indicators:
- Event ID 1 from http.sys with crash details in Windows Event Logs
- Unexpected system reboots or BSOD events
Network Indicators:
- Malformed HTTP/2 packets targeting vulnerable systems
- Increased HTTP traffic to internal systems
SIEM Query:
source="windows" event_id=1 process_name="http.sys" OR source="firewall" dest_port=80,443 protocol="HTTP/2"