CVE-2022-29115
📋 TL;DR
CVE-2022-29115 is a remote code execution vulnerability in the Windows Fax Service that allows authenticated attackers to execute arbitrary code with SYSTEM privileges on affected systems. This affects Windows servers and workstations running vulnerable versions of Windows. Attackers can exploit this to gain complete control over the target system.
💻 Affected Systems
- Windows Fax Service
📦 What is this software?
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 11 by Microsoft
Windows 11 by Microsoft
Windows 7 by Microsoft
Windows 7 by Microsoft
Windows 8.1 by Microsoft
Windows 8.1 by Microsoft
Windows Rt 8.1 by Microsoft
Windows Server by Microsoft
Windows Server by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, enabling attackers to install malware, steal data, pivot to other systems, or disrupt operations.
Likely Case
Privilege escalation leading to lateral movement within the network, data exfiltration, or ransomware deployment.
If Mitigated
Limited impact due to network segmentation, restricted service access, and proper authentication controls preventing exploitation.
🎯 Exploit Status
Requires authentication to exploit. Microsoft has rated this as 'Exploitation More Likely' in their advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 2022 security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29115
Restart Required: Yes
Instructions:
1. Apply May 2022 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart affected systems after patching.
🔧 Temporary Workarounds
Disable Windows Fax Service
windowsDisables the vulnerable service to prevent exploitation
sc stop Fax
sc config Fax start= disabled
Block network access to Fax Service
windowsBlocks TCP port 2000 (fax service port) at firewall
netsh advfirewall firewall add rule name="Block Fax Service" dir=in action=block protocol=TCP localport=2000
🧯 If You Can't Patch
- Disable Windows Fax Service on all affected systems
- Implement network segmentation to restrict access to fax service ports (TCP 2000)
🔍 How to Verify
Check if Vulnerable:
Check if Windows Fax Service is enabled and running: sc query FaxCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify May 2022 security updates are installed: wmic qfe list | findstr "KB5013942"📡 Detection & Monitoring
Log Indicators:
- Event ID 7036 for Fax service start/stop
- Unexpected process creation from Fax service
- Authentication attempts to Fax service
Network Indicators:
- Unusual traffic on TCP port 2000
- Network connections to Fax service from unexpected sources
SIEM Query:
source="windows" event_id=7036 service_name="Fax" OR destination_port=2000