CVE-2022-22026

8.8 HIGH

📋 TL;DR

CVE-2022-22026 is a privilege escalation vulnerability in Windows Client Server Run-time Subsystem (CSRSS) that allows authenticated attackers to gain SYSTEM-level privileges on affected systems. This affects Windows operating systems where an attacker with standard user privileges can exploit the flaw to execute arbitrary code with elevated permissions. The vulnerability requires local access to the target system.

💻 Affected Systems

Products:

Windows Client Server Run-time Subsystem (CSRSS)

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected Windows versions are vulnerable. No special configurations required for exploitation.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full SYSTEM privileges, enabling complete system compromise, installation of persistent malware, credential theft, and lateral movement across the network.

🟠

Likely Case

Malicious insiders or attackers who have already gained initial access escalate privileges to bypass security controls and maintain persistence.

🟢

If Mitigated

With proper patch management and least privilege principles, impact is limited to isolated systems with minimal lateral movement capability.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring authenticated access to the system.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a system, they can exploit this to gain full control and move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local authenticated access. Proof-of-concept code has been publicly released, making exploitation more accessible to attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2022 security updates (KB5015807, KB5015808, KB5015811, etc. depending on Windows version)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22026

Restart Required: Yes

Instructions:

1. Apply July 2022 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Restrict local user privileges

windows

Implement least privilege principles to limit what standard users can do on systems

Network segmentation

all

Segment networks to limit lateral movement if exploitation occurs

🧯 If You Can't Patch

Implement strict access controls and monitor for privilege escalation attempts
Deploy endpoint detection and response (EDR) solutions to detect exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and compare with patched versions. Systems without July 2022 security updates are vulnerable.

Check Version:

winver

Verify Fix Applied:

Verify that July 2022 security updates are installed via 'winver' command or Windows Update history.

📡 Detection & Monitoring

Log Indicators:

Unexpected privilege escalation events in Windows Security logs
CSRSS process anomalies
Suspicious process creation with SYSTEM privileges

Network Indicators:

Unusual outbound connections from previously low-privilege accounts
Lateral movement attempts from compromised systems

SIEM Query:

EventID=4688 AND NewProcessName LIKE '%csrss.exe%' AND SubjectUserName != 'SYSTEM'

📊 Metadata

CVE ID: CVE-2022-22026

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-787

Published: July 12, 2022

Last Updated: November 21, 2024

🔗 References