Login Sign Up

CVE-2022-23300

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2022-23300 is a remote code execution vulnerability in Microsoft Raw Image Extension that allows attackers to execute arbitrary code by tricking users into opening a specially crafted raw image file. This affects Windows systems with the Raw Image Extension installed, primarily putting users at risk through social engineering attacks.

💻 Affected Systems

Products:
  • Microsoft Raw Image Extension
Versions: All versions prior to the February 2022 update
Operating Systems: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if Raw Image Extension is installed from Microsoft Store. Not installed by default on most systems.

📦 What is this software?

Raw Image Extension by Microsoft

View all CVEs affecting Raw Image Extension →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining SYSTEM privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Limited user-level compromise on targeted systems, potentially leading to credential theft, lateral movement, or data exfiltration.

🟢

If Mitigated

No impact if extension is not installed or patched, with user education preventing malicious file execution.

🌐 Internet-Facing: LOW - Requires user interaction to open malicious file, not directly exploitable via network services.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or malicious documents containing crafted raw images.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user interaction to open malicious file. No known public exploits as of last update.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Raw Image Extension version 1.0.37391.0 or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23300

Restart Required: No

Instructions:

1. Open Microsoft Store 2. Click Library 3. Click Get updates 4. Install Raw Image Extension update 5. Alternatively, uninstall the extension via Settings > Apps > Apps & features

🔧 Temporary Workarounds

Uninstall Raw Image Extension

windows

Remove the vulnerable component entirely

Get-AppxPackage *Microsoft.RawImageExtension* | Remove-AppxPackage

Disable raw image file association

windows

Prevent raw image files from opening with vulnerable extension

assoc .raw=
assoc .nef=
assoc .cr2=

🧯 If You Can't Patch

  • Educate users not to open raw image files from untrusted sources
  • Implement application whitelisting to block Raw Image Extension execution

🔍 How to Verify

Check if Vulnerable:

Check Raw Image Extension version in Microsoft Store or via PowerShell: Get-AppxPackage *Microsoft.RawImageExtension* | Select Version

Check Version:

Get-AppxPackage *Microsoft.RawImageExtension* | Select Version

Verify Fix Applied:

Verify version is 1.0.37391.0 or higher using same PowerShell command

📡 Detection & Monitoring

Log Indicators:

  • Process creation events for RawImageExtension.exe with suspicious parent processes
  • Windows Defender/AV alerts for malicious raw image files

Network Indicators:

  • Outbound connections from RawImageExtension.exe process
  • Downloads of raw image files from suspicious sources

SIEM Query:

ProcessName="RawImageExtension.exe" AND (CommandLine CONTAINS ".raw" OR CommandLine CONTAINS ".nef" OR CommandLine CONTAINS ".cr2")

📊 Metadata

CVE ID: CVE-2022-23300
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: March 9, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON