CVE-2022-25480 – This vulnerability in Realtek card reader drive... (How to Fix)

Q: What is the severity of CVE-2022-25480?

CVE-2022-25480 has a CVSS score of 7.8 (HIGH). This vulnerability in Realtek card reader drivers allows attackers to write beyond allocated kernel memory buffers, potentially leading to privilege escalation or system crashes. It affects Windows systems using vulnerable Realtek PCIe or USB card reader drivers. Attackers with local access could exploit this to gain elevated privileges.

📋 TL;DR

This vulnerability in Realtek card reader drivers allows attackers to write beyond allocated kernel memory buffers, potentially leading to privilege escalation or system crashes. It affects Windows systems using vulnerable Realtek PCIe or USB card reader drivers. Attackers with local access could exploit this to gain elevated privileges.

💻 Affected Systems

Products:

Realtek RtsPer.sys driver for PCIe Card Reader
Realtek RtsUer.sys driver for USB Card Reader

Versions: RtsPer.sys before 10.0.22000.21355, RtsUer.sys before 10.0.22000.31274

Operating Systems: Windows 10, Windows 11

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with Realtek card readers using these specific drivers are vulnerable. Many laptops and desktops include Realtek card readers.

📦 What is this software?

Rtsper by Realtek

View all CVEs affecting Rtsper →

Rtsuer by Realtek

View all CVEs affecting Rtsuer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to SYSTEM/root, enabling complete system compromise, data theft, or installation of persistent malware.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install additional malware, or access sensitive data.

🟢

If Mitigated

Limited impact if proper access controls prevent local user execution or if vulnerable drivers are not present.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly reachable from internet.

🏢 Internal Only: HIGH - Local attackers or malware with user privileges can exploit to gain system-level access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Proof-of-concept code is publicly available. Exploitation requires local access but is relatively straightforward for attackers with user privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RtsPer.sys 10.0.22000.21355+, RtsUer.sys 10.0.22000.31274+

Vendor Advisory: https://www.realtek.com/images/safe-report/Realtek_RtsPer_RtsUer_Security_Advisory_Report.pdf

Restart Required: Yes

Instructions:

1. Check Windows Update for driver updates. 2. Install Realtek driver updates from manufacturer website. 3. Restart system. 4. Verify driver versions match patched versions.

🔧 Temporary Workarounds

Disable vulnerable drivers

windows

Disable the Realtek card reader drivers if not needed

sc stop RtsPer
sc stop RtsUer
sc config RtsPer start= disabled
sc config RtsUer start= disabled

🧯 If You Can't Patch

Restrict local user access to systems with vulnerable drivers
Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check driver versions in Device Manager under 'Storage controllers' for Realtek card readers, or run: driverquery | findstr RtsPer RtsUer

Check Version:

driverquery /v | findstr /i "RtsPer RtsUer"

Verify Fix Applied:

Verify driver versions show 10.0.22000.21355+ for RtsPer.sys and 10.0.22000.31274+ for RtsUer.sys

📡 Detection & Monitoring

Log Indicators:

Driver loading events for RtsPer.sys or RtsUer.sys
System crashes with driver-related errors
Unusual privilege escalation attempts

Network Indicators:

No direct network indicators - local exploitation only

SIEM Query:

EventID=7045 AND (ServiceName="RtsPer" OR ServiceName="RtsUer")

📊 Metadata

CVE ID: CVE-2022-25480

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: July 2, 2024

Last Updated: March 25, 2025

🔗 References

http://realtek.com Broken Link
https://gist.github.com/zwclose/feb16f1424779a61cb1d9f6d5681408a Third Party Advisory
https://www.realtek.com/images/safe-report/Realtek_RtsPer_RtsUer_Security_Advisory_Report.pdf Vendor Advisory
https://zwclose.github.io/2024/10/14/rtsper1.html
http://realtek.com Broken Link
https://gist.github.com/zwclose/feb16f1424779a61cb1d9f6d5681408a Third Party Advisory
https://www.realtek.com/images/safe-report/Realtek_RtsPer_RtsUer_Security_Advisory_Report.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25480, you might also want to check these: