CVE-2022-21919

Q: What is the severity of CVE-2022-21919?

CVE-2022-21919 has a CVSS score of 7.0 (HIGH). CVE-2022-21919 is an elevation of privilege vulnerability in the Windows User Profile Service that allows an authenticated attacker to gain SYSTEM-level privileges on affected systems. It affects Windows operating systems, enabling local attackers to escalate their permissions and potentially take full control of the machine. This vulnerability requires an attacker to have initial access to the system, such as through a standard user account.

7.0 HIGH

📋 TL;DR

CVE-2022-21919 is an elevation of privilege vulnerability in the Windows User Profile Service that allows an authenticated attacker to gain SYSTEM-level privileges on affected systems. It affects Windows operating systems, enabling local attackers to escalate their permissions and potentially take full control of the machine. This vulnerability requires an attacker to have initial access to the system, such as through a standard user account.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, and earlier supported versions as per Microsoft advisory.

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with default configurations; exploitation requires an attacker to have local access and the ability to run code on the target system.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local access can exploit this to gain SYSTEM privileges, leading to complete compromise of the system, installation of malware, data theft, or lateral movement across the network.

🟠

Likely Case

In real-world scenarios, attackers with initial foothold (e.g., via phishing or compromised credentials) use this to escalate privileges, bypass security controls, and maintain persistence on the system.

🟢

If Mitigated

With proper controls like timely patching, least privilege access, and network segmentation, the impact is limited to isolated systems, preventing widespread compromise.

🌐 Internet-Facing: LOW, as this is a local privilege escalation vulnerability requiring authenticated access; it cannot be directly exploited over the internet without prior access.

🏢 Internal Only: HIGH, as internal attackers or malware with user-level access can exploit this to gain elevated privileges, posing significant risk to internal networks and sensitive data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation is confirmed with public proof-of-concept code available; it requires authenticated access but is relatively straightforward to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply the security update from Microsoft's January 2022 Patch Tuesday or later; specific KB numbers vary by Windows version (e.g., KB5009543 for Windows 10 21H2).

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21919

Restart Required: Yes

Instructions:

1. Open Windows Update settings. 2. Check for updates and install the latest security updates. 3. Restart the system if prompted. For enterprise environments, deploy updates via WSUS or Microsoft Endpoint Configuration Manager.

🔧 Temporary Workarounds

Restrict User Privileges

windows

Limit user accounts to standard privileges to reduce the attack surface; attackers need initial access to exploit this vulnerability.

Enable Windows Defender Exploit Guard

windows

Use exploit protection features to mitigate privilege escalation attempts.

Set-ProcessMitigation -PolicyFilePath exploit_protection.xml

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems and limit lateral movement.
Enforce strict access controls and monitor for suspicious activity, such as unusual privilege escalation attempts in logs.

🔍 How to Verify

Check if Vulnerable:

Check the Windows version and installed updates; if the January 2022 or later security update is not applied, the system is likely vulnerable. Use 'systeminfo' command to review OS version and hotfixes.

Check Version:

wmic os get caption, version, buildnumber

Verify Fix Applied:

Verify that the security update KB5009543 or relevant patch for your Windows version is installed via 'wmic qfe list' or Settings > Update & Security > View update history.

📡 Detection & Monitoring

Log Indicators:

Look for Event ID 4688 in Windows Security logs with suspicious process creation, especially involving User Profile Service or privilege escalation patterns.
Monitor for failed or successful privilege changes in audit logs.

Network Indicators:

No direct network indicators, as this is a local exploit; focus on lateral movement or command-and-control traffic post-exploitation.

SIEM Query:

Example for Splunk: source="WinEventLog:Security" EventCode=4688 | search "User Profile Service" OR "privilege escalation"

📊 Metadata

CVE ID: CVE-2022-21919

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-59

Published: January 11, 2022

Last Updated: October 30, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21919 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21919 Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-21919 US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1909 by Microsoft

Windows 10 20h2 by Microsoft

Windows 10 21h1 by Microsoft

Windows 10 21h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft