Login Sign Up

CVE-2022-25478

7.8 HIGH

📋 TL;DR

This vulnerability in Realtek card reader drivers allows attackers with local access to read and write to the PCI configuration space, potentially enabling privilege escalation or system compromise. It affects systems using Realtek RtsPer (PCIe) driver versions before 10.0.22000.21355 or RtsUer (USB) driver versions before 10.0.22000.31274. The vulnerability requires local access but could be combined with other exploits for broader impact.

💻 Affected Systems

Products:
  • Realtek RtsPer.sys driver
  • Realtek RtsUer.sys driver
Versions: RtsPer.sys before 10.0.22000.21355, RtsUer.sys before 10.0.22000.31274
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems with Realtek PCIe or USB card readers using vulnerable driver versions. Many laptops and desktops include these components.

📦 What is this software?

Rtsper by Realtek

View all CVEs affecting Rtsper →

Rtsuer by Realtek

View all CVEs affecting Rtsuer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through privilege escalation leading to arbitrary code execution, data theft, or persistence mechanisms installation.

🟠

Likely Case

Local privilege escalation allowing attackers to gain SYSTEM/root privileges from a lower-privileged account.

🟢

If Mitigated

Limited impact if proper access controls prevent local user access or if vulnerable drivers are not present.

🌐 Internet-Facing: LOW - Requires local access; not directly exploitable over network.
🏢 Internal Only: MEDIUM - Could be exploited by malicious insiders or combined with other local exploits.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires local access but is relatively straightforward once access is obtained. Public proof-of-concept code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RtsPer.sys 10.0.22000.21355+, RtsUer.sys 10.0.22000.31274+

Vendor Advisory: https://www.realtek.com/images/safe-report/Realtek_RtsPer_RtsUer_Security_Advisory_Report.pdf

Restart Required: Yes

Instructions:

1. Check current driver version in Device Manager under 'System devices' > 'Realtek PCIE CardReader' or similar. 2. Download updated drivers from Realtek or system manufacturer. 3. Install updated drivers. 4. Restart system.

🔧 Temporary Workarounds

Disable vulnerable drivers

windows

Disable the Realtek card reader drivers if not needed

sc stop RtsPer
sc config RtsPer start= disabled
sc stop RtsUer
sc config RtsUer start= disabled

Remove driver files

windows

Delete vulnerable driver files from system

del C:\Windows\System32\drivers\RtsPer.sys
del C:\Windows\System32\drivers\RtsUer.sys

🧯 If You Can't Patch

  • Restrict local user access to systems with vulnerable drivers
  • Implement application whitelisting to prevent unauthorized driver manipulation

🔍 How to Verify

Check if Vulnerable:

Check driver version in Device Manager or using: powershell Get-WmiObject Win32_PnPSignedDriver | Where-Object {$_.DeviceName -like '*Realtek*CardReader*'} | Select-Object DeviceName, DriverVersion

Check Version:

powershell Get-WmiObject Win32_PnPSignedDriver | Where-Object {$_.DeviceName -like '*Realtek*CardReader*'} | Select-Object DeviceName, DriverVersion

Verify Fix Applied:

Verify driver version is at or above patched versions: RtsPer.sys >= 10.0.22000.21355, RtsUer.sys >= 10.0.22000.31274

📡 Detection & Monitoring

Log Indicators:

  • Driver loading events for RtsPer.sys or RtsUer.sys
  • Unauthorized access attempts to PCI configuration space
  • Privilege escalation events

Network Indicators:

  • No direct network indicators - local exploit

SIEM Query:

EventID=7045 AND (ServiceName='RtsPer' OR ServiceName='RtsUer') OR EventID=4697 AND ServiceName LIKE '%Realtek%CardReader%'

📊 Metadata

CVE ID: CVE-2022-25478
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: July 2, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON