Login Sign Up

CVE-2022-21991

8.1 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote code execution through Visual Studio Code's Remote Development extension. Attackers can execute arbitrary code on systems running vulnerable versions when users connect to malicious remote endpoints. Developers using VS Code with Remote Development extensions are affected.

💻 Affected Systems

Products:
  • Visual Studio Code
  • Visual Studio Code Remote Development Extension Pack
Versions: Visual Studio Code versions before 1.64.0
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users who have installed and use Remote Development extensions. The vulnerability is in how the extension handles remote connections.

📦 What is this software?

Visual Studio Code by Microsoft

View all CVEs affecting Visual Studio Code →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary code, steal credentials, install malware, and pivot to other systems in the network.

🟠

Likely Case

Attacker gains code execution in the context of the VS Code user, potentially accessing sensitive development files, credentials, and project data.

🟢

If Mitigated

Limited impact with proper network segmentation, endpoint protection, and user privilege restrictions in place.

🌐 Internet-Facing: MEDIUM - Requires user to connect to malicious remote endpoint, but can be exploited through social engineering or compromised development servers.
🏢 Internal Only: MEDIUM - Internal development environments could be targeted through compromised internal servers or malicious colleagues.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction to connect to a malicious remote endpoint. No public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Visual Studio Code 1.64.0 or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21991

Restart Required: Yes

Instructions:

1. Open VS Code. 2. Click on Help menu. 3. Select Check for Updates. 4. Install update to version 1.64.0 or later. 5. Restart VS Code after installation.

🔧 Temporary Workarounds

Disable Remote Development Extensions

all

Temporarily disable or uninstall Remote Development extensions until patching is possible.

code --disable-extension ms-vscode-remote.vscode-remote-extensionpack
code --uninstall-extension ms-vscode-remote.vscode-remote-extensionpack

Restrict Remote Connections

all

Only connect to trusted, verified remote development servers and endpoints.

🧯 If You Can't Patch

  • Disable or uninstall Remote Development extensions immediately
  • Implement network segmentation to isolate development environments from production systems

🔍 How to Verify

Check if Vulnerable:

Check VS Code version: Open VS Code, go to Help > About. If version is below 1.64.0 and Remote Development extensions are installed, system is vulnerable.

Check Version:

code --version

Verify Fix Applied:

Verify VS Code version is 1.64.0 or higher in Help > About. Check extensions panel to confirm Remote Development extensions are updated.

📡 Detection & Monitoring

Log Indicators:

  • Unusual remote connection attempts to VS Code
  • Suspicious process execution from VS Code context
  • Failed authentication attempts to remote development servers

Network Indicators:

  • Unexpected outbound connections from developer workstations
  • Suspicious SSH or other remote protocol traffic to unknown endpoints

SIEM Query:

source="vscode" AND (event="remote_connection" OR event="extension_execution") AND dest_ip NOT IN [trusted_ips]

📊 Metadata

CVE ID: CVE-2022-21991
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: February 9, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON