Login Sign Up

CVE-2022-30202

7.0 HIGH

📋 TL;DR

This vulnerability in Windows Advanced Local Procedure Call (ALPC) allows an authenticated attacker to execute code with SYSTEM privileges by exploiting improper object handling. It affects Windows systems where an attacker already has local access and can run low-privileged code. Successful exploitation leads to complete system compromise.

💻 Affected Systems

Products:
  • Microsoft Windows
Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected Windows versions are vulnerable. The vulnerability exists in the ALPC component which is enabled by default.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation from a standard user account to SYSTEM, allowing attackers to bypass security controls and maintain persistence.

🟢

If Mitigated

Limited impact if proper patch management and least privilege principles are enforced, though initial foothold could still be gained.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring authenticated access to the target system.
🏢 Internal Only: HIGH - Once an attacker gains initial access to a Windows system (via phishing, credential theft, etc.), they can exploit this to gain full control.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and ability to execute code. The vulnerability has been publicly disclosed and proof-of-concept code exists, making weaponization likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2022 security updates (KB5015807, KB5015808, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30202

Restart Required: Yes

Instructions:

1. Apply the July 2022 Windows security updates from Microsoft Update. 2. For enterprise environments, deploy through WSUS or SCCM. 3. Restart affected systems to complete installation.

🔧 Temporary Workarounds

No known workarounds

windows

Microsoft has not identified any workarounds for this vulnerability

🧯 If You Can't Patch

  • Implement strict least privilege principles to limit user access and reduce attack surface
  • Deploy application control solutions to prevent execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Check if July 2022 security updates are installed via 'wmic qfe list' or 'Get-Hotfix' in PowerShell

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5015807 (or equivalent for your Windows version) is installed and system has been restarted

📡 Detection & Monitoring

Log Indicators:

  • Event ID 4688 with parent process creating child processes with SYSTEM privileges
  • Unexpected privilege escalation events in security logs

Network Indicators:

  • Unusual outbound connections from systems after local privilege escalation

SIEM Query:

source="Windows Security" EventCode=4688 NewProcessName="*" TokenElevationType="%%1936"

📊 Metadata

CVE ID: CVE-2022-30202
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: July 12, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON