Login Sign Up

CVE-2022-23718

7.6 HIGH
Remote Code Execution

📋 TL;DR

CVE-2022-23718 is a remote code execution vulnerability in PingID Windows Login versions prior to 2.8 that allows attackers to execute arbitrary code with SYSTEM privileges. Organizations using PingID Windows Login for multi-factor authentication on Windows systems are affected. The vulnerability stems from known vulnerable components within the software.

💻 Affected Systems

Products:
  • PingID Windows Login
Versions: All versions prior to 2.8
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with PingID Windows Login installed for MFA integration. Requires the vulnerable component to be present and active.

📦 What is this software?

Pingid Integration For Windows Login by Pingidentity

View all CVEs affecting Pingid Integration For Windows Login →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, allowing complete control over affected Windows systems, credential theft, lateral movement, and data exfiltration.

🟠

Likely Case

Attackers with man-in-the-middle capabilities or access to compromised Ping Identity servers could deploy malware, backdoors, or ransomware on enterprise Windows endpoints.

🟢

If Mitigated

With proper network segmentation, EDR monitoring, and updated software, impact is limited to isolated systems with rapid detection and containment.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Exploitation requires man-in-the-middle position or compromise of Ping Identity infrastructure. No public exploit code has been disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8 and later

Vendor Advisory: https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html

Restart Required: Yes

Instructions:

1. Download PingID Windows Login 2.8 or later from official Ping Identity portal. 2. Run the installer on affected systems. 3. Restart the system to complete installation. 4. Verify the version is 2.8 or higher.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Ping Identity servers and implement strict outbound firewall rules to prevent man-in-the-middle attacks.

Application Control

windows

Implement application whitelisting to prevent execution of unauthorized binaries, limiting impact of potential code execution.

🧯 If You Can't Patch

  • Disable PingID Windows Login and use alternative MFA methods until patching is possible.
  • Implement strict network monitoring and EDR solutions to detect and block suspicious SYSTEM-level process execution.

🔍 How to Verify

Check if Vulnerable:

Check the installed version of PingID Windows Login via Control Panel > Programs and Features or by examining the application directory.

Check Version:

wmic product where name="PingID Windows Login" get version

Verify Fix Applied:

Confirm the version is 2.8 or higher and verify no known vulnerable components are present in the installation directory.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SYSTEM-level process creation from PingID directories
  • Failed update attempts or version rollbacks
  • Network connections to unexpected external IPs from PingID processes

Network Indicators:

  • Unusual outbound traffic from systems running PingID Windows Login
  • SSL/TLS interception attempts targeting PingID endpoints

SIEM Query:

Process Creation where ParentImage contains "pingid" and IntegrityLevel="System"

📊 Metadata

CVE ID: CVE-2022-23718
CVSS v3 Score: 7.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-1352
Published: June 30, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON