Login Sign Up

CVE-2022-22018

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2022-22018 is a remote code execution vulnerability in Microsoft's HEVC Video Extensions that allows attackers to execute arbitrary code by tricking users into opening specially crafted media files. This affects Windows systems with the HEVC Video Extensions installed, potentially allowing attackers to gain control of affected systems.

💻 Affected Systems

Products:
  • Microsoft HEVC Video Extensions
Versions: Versions prior to the July 2022 security update
Operating Systems: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the HEVC codec handling within the Video Extensions. Systems without HEVC Video Extensions installed are not affected.

📦 What is this software?

Hevc Video Extensions by Microsoft

View all CVEs affecting Hevc Video Extensions →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining SYSTEM-level privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Attacker gains user-level privileges on the compromised system, enabling data access, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially containing the exploit to the application context.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious file) but can be delivered via web downloads, email attachments, or malicious websites.
🏢 Internal Only: MEDIUM - Internal users could be tricked into opening malicious files shared via internal networks or collaboration tools.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction to open a malicious media file. No public exploit code has been released as of knowledge cutoff.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HEVC Video Extensions version with July 2022 security updates

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22018

Restart Required: No

Instructions:

1. Open Microsoft Store. 2. Search for 'HEVC Video Extensions'. 3. Click 'Get Updates' or check for updates. 4. Install the latest version. 5. Alternatively, install Windows security updates from July 2022 via Windows Update.

🔧 Temporary Workarounds

Disable HEVC Video Extensions

windows

Temporarily disable or uninstall the HEVC Video Extensions to prevent exploitation

Open PowerShell as Administrator
Get-AppxPackage *HEVC* | Remove-AppxPackage

Restrict media file execution

windows

Configure application control policies to restrict execution of media files from untrusted sources

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of unauthorized media players
  • Educate users about the risks of opening media files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check HEVC Video Extensions version in Microsoft Store or via PowerShell: Get-AppxPackage *HEVC* | Select Name, Version

Check Version:

Get-AppxPackage *HEVC* | Select Name, Version

Verify Fix Applied:

Verify HEVC Video Extensions version is updated to July 2022 or later release

📡 Detection & Monitoring

Log Indicators:

  • Unexpected process creation from media player applications
  • HEVC codec related crashes in Application logs

Network Indicators:

  • Unusual outbound connections from media player processes
  • Downloads of suspicious media files

SIEM Query:

Process Creation where (Image contains 'hevc' OR ParentImage contains media player) AND CommandLine contains suspicious parameters

📊 Metadata

CVE ID: CVE-2022-22018
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: June 15, 2022
Last Updated: January 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON