CVE-2022-21972

Q: What is the severity of CVE-2022-21972?

CVE-2022-21972 has a CVSS score of 8.1 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on Windows systems by sending specially crafted packets to the Point-to-Point Tunneling Protocol (PPTP) service. It affects Windows servers and workstations with PPTP enabled. Successful exploitation could give attackers full control of the affected system.

8.1 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Windows systems by sending specially crafted packets to the Point-to-Point Tunneling Protocol (PPTP) service. It affects Windows servers and workstations with PPTP enabled. Successful exploitation could give attackers full control of the affected system.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows Server 2022, Windows 11, Windows Server 2019, Windows 10, Windows Server 2016, Windows Server 2012, Windows 8.1, Windows Server 2008, Windows 7

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if PPTP service is enabled and listening. PPTP is often disabled by default in modern Windows versions.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative privileges, enabling lateral movement, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to malware deployment, ransomware infection, or credential harvesting from the compromised system.

🟢

If Mitigated

No impact if PPTP is disabled or systems are properly segmented and patched.

🌐 Internet-Facing: HIGH if PPTP VPN endpoints are exposed to the internet, as attackers can directly target them.

🏢 Internal Only: MEDIUM if PPTP is used internally, requiring network access but potentially enabling lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending malicious packets to the PPTP service. No authentication needed if service is accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: January 2022 security updates (KB5009557 for Windows 10, KB5009555 for Windows Server 2019, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21972

Restart Required: Yes

Instructions:

1. Apply January 2022 Windows security updates via Windows Update. 2. For enterprise environments, deploy patches through WSUS or SCCM. 3. Restart systems after patching.

🔧 Temporary Workarounds

Disable PPTP Service

windows

Disable the PPTP service to prevent exploitation.

sc config RasMan start= disabled
sc stop RasMan

Block PPTP Ports

windows

Block PPTP traffic at network boundaries.

netsh advfirewall firewall add rule name="Block PPTP" dir=in action=block protocol=TCP localport=1723

🧯 If You Can't Patch

Disable PPTP service on all affected systems.
Implement network segmentation to isolate PPTP servers from untrusted networks.

🔍 How to Verify

Check if Vulnerable:

Check if PPTP service (RasMan) is running: sc query RasMan | findstr RUNNING

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify January 2022 security updates are installed: wmic qfe list | findstr KB5009557

📡 Detection & Monitoring

Log Indicators:

Event ID 20185 in Windows RemoteAccess logs indicating PPTP connection failures
Unexpected RasMan service crashes

Network Indicators:

Unusual TCP port 1723 traffic patterns
Malformed PPTP packets

SIEM Query:

source="Windows" AND (event_id=20185 OR service_name="RasMan")

📊 Metadata

CVE ID: CVE-2022-21972

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: May 10, 2022

Last Updated: January 2, 2025

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 11 by Microsoft

Windows 11 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable PPTP Service

Block PPTP Ports

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export