Login Sign Up

CVE-2022-30226

7.1 HIGH

📋 TL;DR

This vulnerability allows attackers to gain SYSTEM-level privileges on Windows systems by exploiting the Print Spooler service. It affects Windows servers and workstations where the Print Spooler service is running. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:
  • Windows 10
  • Windows 11
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022
Versions: Multiple versions prior to July 2022 updates
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems with Print Spooler service enabled (default on most Windows installations).

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing installation of malware, credential theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation from standard user to SYSTEM, enabling persistence mechanisms and access to sensitive system resources.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place, though privilege escalation could still occur.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly exploitable over the internet.
🏢 Internal Only: HIGH - Any compromised user account on affected systems could escalate to SYSTEM privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires local access to the system. Exploit code has been publicly released and is relatively simple to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2022 security updates (KB5015807, KB5015808, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30226

Restart Required: Yes

Instructions:

1. Apply July 2022 Windows security updates from Microsoft Update. 2. Restart the system. 3. Verify the patch is installed via Windows Update history or systeminfo command.

🔧 Temporary Workarounds

Disable Print Spooler Service

windows

Stops the vulnerable service from running, preventing exploitation.

sc stop spooler
sc config spooler start=disabled

Restrict Spooler Directory Permissions

windows

Limits access to the spooler directory to reduce attack surface.

icacls C:\Windows\System32\spool\PRINTERS /deny "Authenticated Users":(OI)(CI)F

🧯 If You Can't Patch

  • Disable Print Spooler service on all non-print servers
  • Implement strict access controls and monitor for suspicious spooler service activity

🔍 How to Verify

Check if Vulnerable:

Check if July 2022 security updates are installed via 'systeminfo' command or Windows Update history.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5015807 (or equivalent for your Windows version) is installed and Print Spooler service is either patched or disabled.

📡 Detection & Monitoring

Log Indicators:

  • Event ID 7036 for Print Spooler service stopping/starting unexpectedly
  • Suspicious process creation from spoolsv.exe
  • Access denied errors in Print Spooler logs

Network Indicators:

  • Unusual RPC calls to spooler service
  • SMB connections to print spooler shares

SIEM Query:

EventID=7036 AND ServiceName="Spooler" AND (State="stopped" OR State="started") | where TimeGenerated > ago(1h)

📊 Metadata

CVE ID: CVE-2022-30226
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Published: July 12, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON