CVE-2022-30165 – This vulnerability allows attackers to escalate... (How to Fix)

Q: What is the severity of CVE-2022-30165?

CVE-2022-30165 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers to escalate privileges on Windows systems by exploiting a flaw in Kerberos authentication. Attackers can gain SYSTEM-level access by manipulating redirected logon buffers. All Windows systems with Kerberos authentication enabled are potentially affected.

📋 TL;DR

This vulnerability allows attackers to escalate privileges on Windows systems by exploiting a flaw in Kerberos authentication. Attackers can gain SYSTEM-level access by manipulating redirected logon buffers. All Windows systems with Kerberos authentication enabled are potentially affected.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows 11, Windows 10

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with Kerberos authentication enabled (default in Active Directory environments) are vulnerable. Standalone systems without domain join may have reduced exposure.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, and lateral movement across the network.

🟠

Likely Case

Privilege escalation from standard user to SYSTEM on compromised machines, leading to credential harvesting and persistence establishment.

🟢

If Mitigated

Limited impact if proper patch management and least privilege principles are enforced, though initial foothold could still be leveraged.

🌐 Internet-Facing: LOW - Requires authenticated access to the target system, not directly exploitable from internet-facing services.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a network, this vulnerability enables rapid privilege escalation across Windows domain environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires authenticated access to the target system. Public proof-of-concept code exists, making exploitation more accessible to attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: June 2022 security updates (KB5014692, KB5014699, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30165

Restart Required: Yes

Instructions:

1. Apply June 2022 Windows security updates from Microsoft Update. 2. Restart affected systems. 3. Verify patch installation via Windows Update history or system information.

🔧 Temporary Workarounds

Restrict Kerberos delegation

windows

Limit Kerberos constrained delegation to reduce attack surface

Implement least privilege

all

Ensure users operate with minimal necessary privileges to limit impact of escalation

🧯 If You Can't Patch

Segment networks to limit lateral movement from compromised systems
Implement strict monitoring for Kerberos authentication anomalies and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if June 2022 security updates are installed via 'systeminfo' command or Windows Update history

Check Version:

wmic qfe list | findstr KB5014692 or systeminfo | findstr Hotfix

Verify Fix Applied:

Verify KB5014692 (Windows 10/11) or KB5014699 (Server 2016/2019/2022) is installed

📡 Detection & Monitoring

Log Indicators:

Event ID 4624 with elevated privileges, Kerberos authentication failures, unexpected SYSTEM privilege usage

Network Indicators:

Unusual Kerberos ticket requests, abnormal authentication patterns

SIEM Query:

EventID=4624 AND PrivilegeList="SeDebugPrivilege" OR EventID=4672

📊 Metadata

CVE ID: CVE-2022-30165

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: June 15, 2022

Last Updated: January 2, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30165
http://packetstormsecurity.com/files/167711/Windows-Kerberos-Redirected-Logon-Buffer-Privilege-Escalation.html Third Party Advisory,VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30165 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 11 by Microsoft

Windows 11 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Kerberos delegation

Implement least privilege

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export