Login Sign Up

CVE-2022-30188

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2022-30188 is a remote code execution vulnerability in Microsoft's HEVC Video Extensions that allows attackers to execute arbitrary code by tricking users into opening specially crafted media files. This affects Windows systems with the HEVC Video Extensions installed, typically through the Microsoft Store. Attackers could gain the same user rights as the logged-in user.

💻 Affected Systems

Products:
  • Microsoft HEVC Video Extensions
Versions: Versions prior to the July 2022 update
Operating Systems: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022
Default Config Vulnerable: ⚠️ Yes
Notes: HEVC Video Extensions are often installed from Microsoft Store for HEVC video playback. Systems without this extension are not vulnerable.

📦 What is this software?

Hevc Video Extensions by Microsoft

View all CVEs affecting Hevc Video Extensions →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining SYSTEM privileges, installing malware, stealing data, and establishing persistence.

🟠

Likely Case

Attacker gains user-level privileges to execute code, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟢

If Mitigated

Limited impact due to user account restrictions, application sandboxing, or network segmentation preventing lateral movement.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious file) but can be delivered via email, web downloads, or messaging apps.
🏢 Internal Only: MEDIUM - Internal phishing campaigns or compromised internal shares could deliver malicious files to users.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction to open malicious media file. Proof-of-concept code has been published, making weaponization likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HEVC Video Extensions version 1.0.51121.0 or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30188

Restart Required: No

Instructions:

1. Open Microsoft Store. 2. Search for 'HEVC Video Extensions'. 3. Click 'Get updates' or check for updates. 4. Install available updates. 5. Alternatively, update through Windows Update if extension was installed via system.

🔧 Temporary Workarounds

Uninstall HEVC Video Extensions

windows

Remove the vulnerable component entirely if HEVC video playback is not required

Get-AppxPackage *HEVC* | Remove-AppxPackage

Restrict file execution policies

windows

Implement application control policies to block execution of untrusted media files

🧯 If You Can't Patch

  • Implement strict email filtering to block suspicious attachments and links
  • Educate users about risks of opening untrusted media files and implement least privilege access

🔍 How to Verify

Check if Vulnerable:

Check HEVC Video Extensions version in Microsoft Store or via PowerShell: Get-AppxPackage *HEVC* | Select Name, Version

Check Version:

Get-AppxPackage *HEVC* | Select Name, Version

Verify Fix Applied:

Verify version is 1.0.51121.0 or higher using: Get-AppxPackage *HEVC* | Select Version

📡 Detection & Monitoring

Log Indicators:

  • Windows Event Logs showing HEVC Video Extensions crashes
  • Process creation from media player applications with suspicious parameters

Network Indicators:

  • Unusual outbound connections from media player processes
  • Downloads of suspicious media files from external sources

SIEM Query:

Process Creation where (Image contains 'Video' OR Image contains 'Media') AND CommandLine contains suspicious file extensions (.hevc, .mp4, .mov) from untrusted sources

📊 Metadata

CVE ID: CVE-2022-30188
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: June 15, 2022
Last Updated: January 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON