Login Sign Up

CVE-2022-22022

7.1 HIGH

📋 TL;DR

CVE-2022-22022 is an elevation of privilege vulnerability in the Windows Print Spooler service that allows authenticated attackers to execute code with SYSTEM privileges. This affects Windows systems where the Print Spooler service is running. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:
  • Windows
Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems with Print Spooler service enabled (default on most Windows installations).

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling complete control over the affected system, lateral movement, and persistence establishment.

🟠

Likely Case

Privilege escalation from standard user to SYSTEM, allowing installation of malware, credential theft, and bypassing security controls.

🟢

If Mitigated

Limited impact with proper network segmentation, least privilege enforcement, and Print Spooler service disabled on non-essential systems.

🌐 Internet-Facing: LOW - Requires local authentication and Print Spooler service access, not directly exploitable over internet.
🏢 Internal Only: HIGH - Significant risk in internal networks where attackers can gain initial access and escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated user access. Exploitation is relatively straightforward once initial access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2022 security updates (KB5015807, KB5015808, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22022

Restart Required: Yes

Instructions:

1. Apply July 2022 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Disable Print Spooler Service

windows

Stops the vulnerable service from running, preventing exploitation.

sc stop spooler
sc config spooler start= disabled

Restrict Print Spooler via Group Policy

windows

Disables Print Spooler service through Group Policy for domain environments.

🧯 If You Can't Patch

  • Disable Print Spooler service on all non-essential systems
  • Implement network segmentation to isolate systems with Print Spooler enabled

🔍 How to Verify

Check if Vulnerable:

Check if Print Spooler service is running and system has not applied July 2022 security updates.

Check Version:

wmic qfe list | findstr "KB5015807 KB5015808"

Verify Fix Applied:

Verify July 2022 security updates are installed and Print Spooler service version is updated.

📡 Detection & Monitoring

Log Indicators:

  • Event ID 7036 for Print Spooler service restarts
  • Unusual process creation from spoolsv.exe

Network Indicators:

  • Unexpected RPC connections to Print Spooler service

SIEM Query:

EventID=7036 AND ServiceName="Spooler" | stats count by host

📊 Metadata

CVE ID: CVE-2022-22022
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Published: July 12, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON