Login Sign Up

CVE-2022-23288

7.0 HIGH

📋 TL;DR

This vulnerability in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated attacker to execute arbitrary code with SYSTEM privileges. It affects Windows systems where an attacker has local access and can exploit the flaw to escalate privileges from a lower-privileged account to SYSTEM level.

💻 Affected Systems

Products:
  • Windows Desktop Window Manager (DWM) Core Library
Versions: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects default installations of supported Windows versions. Requires local authenticated access to exploit.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows Server by Microsoft

View all CVEs affecting Windows Server →

Windows Server by Microsoft

View all CVEs affecting Windows Server →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, or persistence mechanisms.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install additional tools, or access restricted resources.

🟢

If Mitigated

Limited impact if proper patch management and least privilege principles are implemented, restricting local access to trusted users only.

🌐 Internet-Facing: LOW - Requires local authenticated access, not directly exploitable over network.
🏢 Internal Only: HIGH - Significant risk from insider threats or compromised accounts with local access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local authenticated access and specific conditions to trigger the vulnerability. No public exploit code available as of last update.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security updates released in January 2022 Patch Tuesday

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23288

Restart Required: Yes

Instructions:

1. Apply Windows Update from January 2022 or later. 2. Install KB5009543 (Windows 10) or equivalent security update for your version. 3. Restart system to complete installation.

🔧 Temporary Workarounds

Restrict Local Access

windows

Limit local login access to trusted administrators only and implement least privilege principles.

🧯 If You Can't Patch

  • Implement strict access controls and monitor for suspicious local privilege escalation attempts.
  • Segment networks to limit lateral movement and contain potential breaches.

🔍 How to Verify

Check if Vulnerable:

Check Windows Update history for January 2022 security updates or run 'systeminfo' to check OS build number.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5009543 or equivalent security update is installed via Windows Update history or 'wmic qfe list' command.

📡 Detection & Monitoring

Log Indicators:

  • Event ID 4688 (Process Creation) showing unexpected SYSTEM privilege processes from user accounts
  • Security log entries for privilege escalation

Network Indicators:

  • Unusual outbound connections from systems after local login events

SIEM Query:

EventID=4688 AND NewProcessName CONTAINS "cmd.exe" OR "powershell.exe" AND SubjectUserName NOT IN ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE") AND TokenElevationType=2

📊 Metadata

CVE ID: CVE-2022-23288
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: March 9, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON