Login Sign Up

CVE-2022-30146

7.5 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote code execution on Windows systems running LDAP services. Attackers can exploit it by sending specially crafted requests to a vulnerable LDAP server, potentially gaining SYSTEM privileges. All Windows systems with LDAP enabled are affected.

💻 Affected Systems

Products:
  • Windows Server
  • Windows Client
Versions: Windows Server 2022, 2019, 2016, 2012 R2, 2012; Windows 11, 10, 8.1, 7
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Systems with LDAP services enabled are vulnerable. Domain controllers are particularly at risk.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling complete control over the server, data theft, and lateral movement across the network.

🟠

Likely Case

Remote code execution leading to malware deployment, credential harvesting, and establishment of persistent access in enterprise environments.

🟢

If Mitigated

Limited impact due to network segmentation, strict firewall rules, and LDAP hardening preventing exploitation attempts.

🌐 Internet-Facing: HIGH if LDAP services are exposed to the internet without proper filtering or authentication.
🏢 Internal Only: MEDIUM to HIGH depending on network segmentation and internal access controls.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Microsoft rates this as 'Exploitation More Likely' in their advisory. No public proof-of-concept has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security updates from June 2022 or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30146

Restart Required: Yes

Instructions:

1. Apply the June 2022 Windows security updates. 2. For domain controllers, install updates during maintenance windows. 3. Restart affected systems to complete installation.

🔧 Temporary Workarounds

Block LDAP ports at perimeter

all

Prevent external access to LDAP services by blocking TCP ports 389 and 636 at network perimeter.

Enable LDAP channel binding and signing

windows

Configure LDAP signing and channel binding to prevent certain attack vectors.

Set-ADDCCloningExcludedApplicationList -RemoveList "*"

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate LDAP servers from untrusted networks
  • Deploy intrusion detection systems to monitor for LDAP exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if June 2022 security updates are installed via Windows Update history or systeminfo command.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5014692 (or later cumulative update) is installed and system has been restarted.

📡 Detection & Monitoring

Log Indicators:

  • Unusual LDAP query patterns in Windows Event Logs (Event ID 2889)
  • Failed authentication attempts followed by successful exploitation

Network Indicators:

  • Unusual LDAP traffic patterns, especially large or malformed LDAP packets
  • Traffic to LDAP ports from unexpected sources

SIEM Query:

source="windows" event_id=2889 AND (ldap_query="*" OR ldap_response="*")

📊 Metadata

CVE ID: CVE-2022-30146
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: June 15, 2022
Last Updated: January 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON