Login Sign Up

CVE-2022-22001

7.8 HIGH

📋 TL;DR

CVE-2022-22001 is an elevation of privilege vulnerability in Windows Remote Access Connection Manager. It allows authenticated attackers to execute code with SYSTEM privileges on affected Windows systems. This affects Windows servers and workstations running vulnerable versions.

💻 Affected Systems

Products:
  • Windows Remote Access Connection Manager
Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems with Remote Access Connection Manager service enabled (default on many Windows installations).

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server by Microsoft

View all CVEs affecting Windows Server →

Windows Server by Microsoft

View all CVEs affecting Windows Server →

Windows Server by Microsoft

View all CVEs affecting Windows Server →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full SYSTEM privileges, enabling complete system compromise, lateral movement, and persistence.

🟠

Likely Case

Privilege escalation from standard user to SYSTEM, allowing installation of malware, credential theft, and bypassing security controls.

🟢

If Mitigated

Limited to authenticated users only; proper patch management prevents exploitation.

🌐 Internet-Facing: LOW - Requires authenticated access; not directly exploitable from internet without prior compromise.
🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated user access; Microsoft has not disclosed exploitation details publicly.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security updates from July 2022 or later (e.g., KB5015807 for Windows 10 21H2)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22001

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates via Windows Update. 2. For enterprise: Deploy patches through WSUS, SCCM, or equivalent. 3. Restart systems after patching.

🔧 Temporary Workarounds

Disable Remote Access Connection Manager service

windows

Disables the vulnerable service if not required for functionality.

sc config RasMan start= disabled
sc stop RasMan

🧯 If You Can't Patch

  • Restrict user privileges to minimize attack surface (principle of least privilege).
  • Implement network segmentation to limit lateral movement from compromised systems.

🔍 How to Verify

Check if Vulnerable:

Check Windows version and patch level; systems without July 2022 or later security updates are vulnerable.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history includes July 2022 security updates or later, or check system version matches patched versions.

📡 Detection & Monitoring

Log Indicators:

  • Event ID 4688 with process creation from RasMan service
  • Unexpected SYSTEM privilege escalation events

Network Indicators:

  • Unusual outbound connections from systems after privilege escalation

SIEM Query:

EventID=4688 AND (ProcessName="*rasman*" OR ParentProcessName="*rasman*")

📊 Metadata

CVE ID: CVE-2022-22001
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: February 9, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON