CVE-2022-26916

Q: What is the severity of CVE-2022-26916?

CVE-2022-26916 has a CVSS score of 7.8 (HIGH). CVE-2022-26916 is a remote code execution vulnerability in Windows Fax Compose Form that allows attackers to execute arbitrary code on affected systems. This affects Windows systems with the fax service enabled. Attackers could exploit this by tricking users into opening specially crafted documents.

7.8 HIGH

Remote Code Execution

📋 TL;DR

CVE-2022-26916 is a remote code execution vulnerability in Windows Fax Compose Form that allows attackers to execute arbitrary code on affected systems. This affects Windows systems with the fax service enabled. Attackers could exploit this by tricking users into opening specially crafted documents.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if fax service is installed and enabled. Not all Windows installations include fax components by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, allowing data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Limited user-level code execution leading to credential theft, lateral movement, or malware installation on individual workstations.

🟢

If Mitigated

No impact if systems are patched or fax service is disabled; limited to user context if proper application control is in place.

🌐 Internet-Facing: LOW - Requires user interaction with malicious content, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Could be exploited via phishing or malicious documents within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (opening malicious document). No public exploit code available as of last update.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: May 2022 security updates (KB5013942 for Windows 10, KB5013943 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26916

Restart Required: Yes

Instructions:

1. Install May 2022 Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Verify installation in Windows Update history.

🔧 Temporary Workarounds

Disable Fax Service

windows

Remove or disable Windows Fax and Scan service to eliminate attack surface

sc stop Fax
sc config Fax start= disabled

Remove Fax Feature

windows

Uninstall fax components from Windows

Dism /online /Disable-Feature /FeatureName:FaxServicesClientPackage

🧯 If You Can't Patch

Disable fax service on all affected systems
Implement application control to block execution of fax-related binaries
Educate users about not opening untrusted documents

🔍 How to Verify

Check if Vulnerable:

Check if fax service is installed and enabled: Get-WindowsOptionalFeature -Online -FeatureName FaxServicesClientPackage

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify May 2022 security updates are installed: Get-HotFix -Id KB5013942, KB5013943, or relevant KB for your OS version

📡 Detection & Monitoring

Log Indicators:

Unexpected fax service process execution
Crash of faxcompose.exe
Security event 4688 for fax-related processes

Network Indicators:

None - local exploitation only

SIEM Query:

EventID=4688 AND (NewProcessName:*fax* OR CommandLine:*fax*)

📊 Metadata

CVE ID: CVE-2022-26916

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Published: April 15, 2022

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 11 by Microsoft

Windows 11 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Fax Service

Remove Fax Feature

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export