Login Sign Up

CVE-2022-30206

7.8 HIGH

📋 TL;DR

This vulnerability allows attackers to gain SYSTEM-level privileges on Windows systems by exploiting the Print Spooler service. It affects Windows servers and workstations where the Print Spooler service is enabled. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:
  • Microsoft Windows
Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable when Print Spooler service is running (enabled by default on most Windows installations).

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling installation of malware, credential theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install persistent backdoors, and access sensitive system resources.

🟢

If Mitigated

Limited impact if Print Spooler is disabled or proper access controls restrict local user privileges.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly exploitable over the internet.
🏢 Internal Only: HIGH - Significant risk from insider threats or attackers who gain initial access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access with standard user privileges. Multiple Print Spooler vulnerabilities have been actively exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2022 security updates (KB5015807, KB5015808, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30206

Restart Required: Yes

Instructions:

1. Apply July 2022 Windows security updates from Windows Update. 2. For enterprise environments, deploy patches through WSUS or SCCM. 3. Restart affected systems after patching.

🔧 Temporary Workarounds

Disable Print Spooler Service

windows

Stops the vulnerable service entirely, preventing exploitation but disabling printing functionality.

sc stop spooler
sc config spooler start= disabled

Restrict Spooler Directory Permissions

windows

Modify permissions on the spool directory to prevent unauthorized access.

icacls C:\Windows\System32\spool\PRINTERS /deny "Users:(OI)(CI)(M)"

🧯 If You Can't Patch

  • Disable Print Spooler service on non-essential systems
  • Implement strict access controls and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if Print Spooler service is running and system lacks July 2022 security updates.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify July 2022 security updates are installed via 'systeminfo' or Windows Update history.

📡 Detection & Monitoring

Log Indicators:

  • Event ID 7036 (service state changes) for Print Spooler
  • Unexpected privilege escalation events in Security logs
  • Suspicious process creation from spoolsv.exe

Network Indicators:

  • Unusual RPC calls to Print Spooler service
  • SMB connections to print shares from unexpected sources

SIEM Query:

EventID=7036 AND ServiceName="Spooler" AND (State="running" OR State="stopped")

📊 Metadata

CVE ID: CVE-2022-30206
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: July 12, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON