Login Sign Up

CVE-2022-21914

7.8 HIGH

📋 TL;DR

This vulnerability allows an authenticated attacker to execute arbitrary code with SYSTEM privileges on Windows systems. It affects Windows Remote Access Connection Manager service, enabling local privilege escalation. Users with standard privileges could gain full system control.

💻 Affected Systems

Products:
  • Windows Remote Access Connection Manager
Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems with Remote Access Connection Manager service enabled. Standard Windows installations are vulnerable.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server by Microsoft

View all CVEs affecting Windows Server →

Windows Server by Microsoft

View all CVEs affecting Windows Server →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining SYSTEM privileges, installing persistent malware, accessing all data, and pivoting to other systems.

🟠

Likely Case

Local privilege escalation where authenticated users gain administrative control over the compromised system.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege principles, and endpoint protection are implemented.

🌐 Internet-Facing: LOW - Requires local access to the system, not directly exploitable over the internet.
🏢 Internal Only: HIGH - Any authenticated user on affected Windows systems could potentially exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated access to the target system. No public exploit code available as of knowledge cutoff.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: January 2022 security updates (KB5009543 for Windows 10 21H2, KB5009566 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21914

Restart Required: Yes

Instructions:

1. Apply January 2022 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Disable Remote Access Connection Manager Service

windows

Disables the vulnerable service if not required for business operations

sc config RasMan start= disabled
sc stop RasMan

Restrict Service Permissions

windows

Apply stricter ACLs to the service to limit who can interact with it

sc sdset RasMan D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

🧯 If You Can't Patch

  • Implement strict network segmentation to limit lateral movement
  • Apply principle of least privilege and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and patch level. Systems without January 2022 security updates are vulnerable.

Check Version:

wmic qfe list | findstr KB5009543 KB5009566

Verify Fix Applied:

Verify KB5009543 (Windows 10 21H2), KB5009566 (Windows 11), or equivalent January 2022 security update is installed.

📡 Detection & Monitoring

Log Indicators:

  • Event ID 4688 with process creation from RasMan service
  • Unexpected privilege escalation events in security logs

Network Indicators:

  • Unusual outbound connections from systems with RasMan service

SIEM Query:

EventID=4688 AND (ProcessName LIKE '%rasman%' OR ParentProcessName LIKE '%rasman%')

📊 Metadata

CVE ID: CVE-2022-21914
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: January 11, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON