CVE-2022-35744

Q: What is the severity of CVE-2022-35744?

CVE-2022-35744 has a CVSS score of 9.8 (CRITICAL). CVE-2022-35744 is a critical remote code execution vulnerability in Windows Point-to-Point Protocol (PPP) that allows unauthenticated attackers to execute arbitrary code on affected systems. This affects Windows servers and workstations with PPP enabled, potentially allowing complete system compromise. The vulnerability is particularly dangerous because it can be exploited without user interaction.

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

CVE-2022-35744 is a critical remote code execution vulnerability in Windows Point-to-Point Protocol (PPP) that allows unauthenticated attackers to execute arbitrary code on affected systems. This affects Windows servers and workstations with PPP enabled, potentially allowing complete system compromise. The vulnerability is particularly dangerous because it can be exploited without user interaction.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows Server 2022, Windows 11, Windows Server 2019, Windows 10 Version 21H2, Windows 10 Version 21H1, Windows 10 Version 20H2, Windows Server 2016, Windows 10 Version 1607, Windows Server 2012 R2, Windows Server 2012, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2, Windows 7 SP1

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when PPP is enabled and configured. PPP is not enabled by default on most Windows installations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with administrative privileges, enabling data theft, ransomware deployment, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to malware installation, credential harvesting, and system compromise for further network exploitation.

🟢

If Mitigated

Limited impact with proper network segmentation, firewall rules blocking PPP ports, and endpoint protection detecting exploitation attempts.

🌐 Internet-Facing: HIGH - PPP services exposed to the internet can be directly exploited by remote attackers without authentication.

🏢 Internal Only: MEDIUM - Internal systems with PPP enabled remain vulnerable to attackers who gain initial network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Microsoft has rated this as 'Exploitation More Likely' in their security advisory. The vulnerability requires no user interaction and can be exploited remotely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: August 2022 security updates (KB5016616, KB5016623, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35744

Restart Required: Yes

Instructions:

1. Apply August 2022 Windows security updates from Windows Update. 2. For enterprise environments, deploy updates via WSUS, SCCM, or Intune. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Disable PPP Service

windows

Disable the Point-to-Point Protocol service if not required for business operations.

sc config RasMan start= disabled
sc stop RasMan

Block PPP Ports

all

Configure firewalls to block PPP-related ports (TCP 1723, GRE protocol 47) from untrusted networks.

🧯 If You Can't Patch

Disable PPP/RAS services on all affected systems immediately
Implement strict network segmentation and firewall rules to isolate systems with PPP enabled

🔍 How to Verify

Check if Vulnerable:

Check if PPP/RAS services are running: 'sc query RasMan' or 'Get-Service RasMan' in PowerShell. If service is running and system is unpatched, it's vulnerable.

Check Version:

wmic os get caption,version,buildnumber,csdversion

Verify Fix Applied:

Verify August 2022 security updates are installed: 'systeminfo | findstr /B /C:"OS Name" /C:"OS Version"' and check for KB5016616 or later patches.

📡 Detection & Monitoring

Log Indicators:

Event ID 20209 in RemoteAccess logs
Unexpected PPP connection attempts
RasMan service crashes or unexpected restarts

Network Indicators:

Unusual PPP traffic patterns
Connection attempts to TCP port 1723 from unexpected sources
GRE protocol traffic anomalies

SIEM Query:

source="*RemoteAccess*" AND (EventID=20209 OR "RasMan" OR "PPP")

📊 Metadata

CVE ID: CVE-2022-35744

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: May 31, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35744 Mitigation,Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35744 Mitigation,Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 20h2 by Microsoft

Windows 10 20h2 by Microsoft

Windows 10 20h2 by Microsoft

Windows 10 21h1 by Microsoft

Windows 10 21h1 by Microsoft

Windows 10 21h1 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 20h2 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable PPP Service

Block PPP Ports

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export