CVE-2022-26788

Q: What is the severity of CVE-2022-26788?

CVE-2022-26788 has a CVSS score of 7.8 (HIGH). This PowerShell vulnerability allows authenticated attackers to execute arbitrary code with elevated privileges on affected Windows systems. It affects systems running PowerShell 7.2 and 7.3 where an attacker can exploit a flaw in how PowerShell handles certain operations. This primarily impacts Windows environments where PowerShell is used for administration.

7.8 HIGH

📋 TL;DR

This PowerShell vulnerability allows authenticated attackers to execute arbitrary code with elevated privileges on affected Windows systems. It affects systems running PowerShell 7.2 and 7.3 where an attacker can exploit a flaw in how PowerShell handles certain operations. This primarily impacts Windows environments where PowerShell is used for administration.

💻 Affected Systems

Products:

PowerShell 7
PowerShell Core

Versions: PowerShell 7.2.0 through 7.2.7, PowerShell 7.3.0 through 7.3.1

Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects PowerShell 7.x versions, not Windows PowerShell 5.1. Requires PowerShell to be installed and accessible to authenticated users.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker gains SYSTEM-level privileges, enabling complete system compromise, data theft, lateral movement, and persistence establishment.

🟠

Likely Case

Authenticated users (including low-privilege accounts) escalate to administrator privileges, allowing them to install malware, modify system configurations, or access sensitive data.

🟢

If Mitigated

With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.

🌐 Internet-Facing: LOW - This requires authenticated access to the system, making direct internet exploitation unlikely without prior compromise.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this to gain elevated privileges and move laterally within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the system. Proof-of-concept code has been published, making weaponization likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PowerShell 7.2.8 or later, PowerShell 7.3.2 or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26788

Restart Required: No

Instructions:

1. Download latest PowerShell 7.x from Microsoft's GitHub releases. 2. Install the update on affected systems. 3. Verify PowerShell version with 'pwsh --version'.

🔧 Temporary Workarounds

Restrict PowerShell Access

windows

Limit which users can execute PowerShell scripts through Group Policy or application control policies.

# Use Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on Script Execution > Set to 'Allow only signed scripts' or 'Disabled'

Implement Least Privilege

windows

Ensure users only have necessary permissions and cannot run PowerShell with elevated privileges.

# Use Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Remove users from 'Debug programs' and 'Create a token object' privileges

🧯 If You Can't Patch

Implement strict access controls to limit who can execute PowerShell on affected systems
Deploy application whitelisting to prevent unauthorized PowerShell execution

🔍 How to Verify

Check if Vulnerable:

Run 'pwsh --version' and check if version is between 7.2.0-7.2.7 or 7.3.0-7.3.1

Check Version:

pwsh --version

Verify Fix Applied:

Run 'pwsh --version' and confirm version is 7.2.8+ or 7.3.2+

📡 Detection & Monitoring

Log Indicators:

Event ID 4104 in Windows PowerShell logs showing suspicious script execution
Unexpected PowerShell processes running with elevated privileges
PowerShell execution from unusual user accounts

Network Indicators:

PowerShell remoting (WinRM) connections to multiple systems in short time
Unusual outbound connections following PowerShell execution

SIEM Query:

source="Windows PowerShell" EventCode=4104 | stats count by host, user

📊 Metadata

CVE ID: CVE-2022-26788

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: April 15, 2022

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Powershell by Microsoft

Powershell by Microsoft

Powershell by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 11 by Microsoft

Windows 11 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict PowerShell Access

Implement Least Privilege

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export