CVE-2022-29103

7.8 HIGH

📋 TL;DR

This vulnerability allows an authenticated attacker to execute arbitrary code with SYSTEM privileges on Windows systems. It affects Windows Remote Access Connection Manager service, enabling local privilege escalation. Only users with valid credentials on the target system can exploit this vulnerability.

💻 Affected Systems

Products:

Windows Remote Access Connection Manager

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with Remote Access Connection Manager service enabled. Standard Windows installations are vulnerable by default.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server by Microsoft

View all CVEs affecting Windows Server →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full SYSTEM-level control over the Windows system, enabling installation of malware, data theft, lateral movement, and complete system compromise.

🟠

Likely Case

Privileged attacker escalates from standard user to SYSTEM privileges to bypass security controls, install persistence mechanisms, or access protected resources.

🟢

If Mitigated

With proper patch management and least privilege principles, impact is limited to isolated systems with no critical data exposure.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring authenticated access to the system.

🏢 Internal Only: HIGH - Internal attackers with valid credentials can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and local execution. No public exploit code available as of knowledge cutoff.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: May 2022 security updates (KB5013942 for Windows 10, KB5013943 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29103

Restart Required: Yes

Instructions:

1. Apply May 2022 Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Verify update installation with 'wmic qfe list' command.

🔧 Temporary Workarounds

Disable Remote Access Connection Manager Service

windows

Disables the vulnerable service if not required for business operations

sc config RasMan start= disabled
sc stop RasMan

Restrict Service Permissions

windows

Apply least privilege to service accounts and restrict who can interact with the service

sc sdshow RasMan
sc sdset RasMan [modified SDDL string]

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems
Apply strict access controls and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if May 2022 security updates are installed: 'wmic qfe list | findstr KB501394'

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify update installation and check service version: 'sc query RasMan' and 'wmic qfe list | findstr KB501394'

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with RasMan.exe parent process
Unexpected service control operations on RasMan service
Privilege escalation attempts in security logs

Network Indicators:

Unusual outbound connections from systems with RasMan service
Lateral movement attempts from previously compromised systems

SIEM Query:

EventID=4688 AND (NewProcessName="*\system32\*" OR ParentProcessName="*\RasMan.exe") | stats count by Computer, ParentProcessName, NewProcessName

📊 Metadata

CVE ID: CVE-2022-29103

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: May 10, 2022

Last Updated: January 2, 2025

🔗 References