CVE-2022-26939 – CVE-2022-26939 is an elevation of privilege vul... (How to Fix)

Q: What is the severity of CVE-2022-26939?

CVE-2022-26939 has a CVSS score of 7.0 (HIGH). CVE-2022-26939 is an elevation of privilege vulnerability in Windows Storage Spaces Direct that allows authenticated attackers to gain SYSTEM-level privileges on affected systems. This affects Windows Server systems configured with Storage Spaces Direct. Attackers need valid credentials to exploit this vulnerability.

📋 TL;DR

CVE-2022-26939 is an elevation of privilege vulnerability in Windows Storage Spaces Direct that allows authenticated attackers to gain SYSTEM-level privileges on affected systems. This affects Windows Server systems configured with Storage Spaces Direct. Attackers need valid credentials to exploit this vulnerability.

💻 Affected Systems

Products:

Windows Server

Versions: Windows Server 2022, Windows Server 2019, Windows Server 2016

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Storage Spaces Direct feature enabled and configured.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker gains SYSTEM privileges, enabling complete system compromise, data theft, lateral movement, and persistence establishment.

🟠

Likely Case

Privileged domain users or compromised accounts escalate to SYSTEM to install malware, steal credentials, or pivot to other systems.

🟢

If Mitigated

With proper patch management and least privilege controls, impact is limited to isolated systems with minimal data exposure.

🌐 Internet-Facing: LOW - Requires authenticated access to Storage Spaces Direct infrastructure, which is typically internal.

🏢 Internal Only: HIGH - Internal attackers with valid credentials can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access to Storage Spaces Direct infrastructure and knowledge of the specific vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: May 10, 2022 security updates

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26939

Restart Required: Yes

Instructions:

1. Apply May 2022 Windows Server security updates. 2. Restart affected systems. 3. Verify patch installation via Windows Update history.

🔧 Temporary Workarounds

Disable Storage Spaces Direct

windows

Remove or disable Storage Spaces Direct feature if not required

Remove-WindowsFeature -Name Storage-Spaces-Direct

Restrict Access

windows

Limit administrative access to Storage Spaces Direct systems

🧯 If You Can't Patch

Implement strict network segmentation for Storage Spaces Direct infrastructure
Apply least privilege principles and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if Storage Spaces Direct is enabled and system has not received May 2022 security updates

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5012670 (Server 2022), KB5012671 (Server 2019), or KB5012672 (Server 2016) is installed

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with SYSTEM token creation from non-SYSTEM accounts
Unexpected privilege escalation events

Network Indicators:

Unusual administrative connections to Storage Spaces Direct systems

SIEM Query:

EventID=4688 AND NewTokenId="%%1842" AND SubjectUserName!="SYSTEM"

📊 Metadata

CVE ID: CVE-2022-26939

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: May 10, 2022

Last Updated: January 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON