Login Sign Up

CVE-2022-21981

7.8 HIGH

📋 TL;DR

CVE-2022-21981 is a local privilege escalation vulnerability in the Windows Common Log File System (CLFS) driver that allows authenticated attackers to gain SYSTEM-level privileges. This affects Windows systems where an attacker already has some level of access. The vulnerability requires local access to exploit.

💻 Affected Systems

Products:
  • Microsoft Windows
Versions: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected Windows versions are vulnerable. No special configuration required.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server by Microsoft

View all CVEs affecting Windows Server →

Windows Server by Microsoft

View all CVEs affecting Windows Server →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with initial access (even as a low-privileged user) could gain full SYSTEM privileges, enabling complete system compromise, persistence, credential theft, and lateral movement.

🟠

Likely Case

Attackers who have already compromised a system through phishing or other means use this to escalate privileges and maintain persistence or move laterally.

🟢

If Mitigated

With proper patch management and least privilege principles, impact is limited to isolated systems with no lateral movement capability.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring authenticated access, not remotely exploitable.
🏢 Internal Only: HIGH - Once an attacker gains initial foothold on a network, this provides easy privilege escalation for lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit code is publicly available and relatively simple to execute. Requires local authenticated access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: January 2022 security updates (KB5009543 for Windows 10 21H2, KB5009557 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21981

Restart Required: Yes

Instructions:

1. Apply January 2022 Windows security updates via Windows Update. 2. For enterprise environments, deploy patches through WSUS or SCCM. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Restrict local access

windows

Limit who has local login access to vulnerable systems

Implement least privilege

windows

Ensure users operate with minimal necessary privileges

🧯 If You Can't Patch

  • Implement strict network segmentation to limit lateral movement
  • Deploy endpoint detection and response (EDR) solutions to detect privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and patch level. If running affected versions without January 2022 updates, system is vulnerable.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify that January 2022 security updates are installed via 'winver' or 'systeminfo' command.

📡 Detection & Monitoring

Log Indicators:

  • Event ID 4688 (process creation) showing unexpected SYSTEM privilege acquisition
  • Security log entries showing privilege escalation

Network Indicators:

  • Unusual outbound connections from previously low-privileged accounts

SIEM Query:

EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1936"

📊 Metadata

CVE ID: CVE-2022-21981
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: February 9, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON