CVE-2022-38777 – CVE-2022-38777 is a privilege escalation vulner... (How to Fix)

Q: What is the severity of CVE-2022-38777?

CVE-2022-38777 has a CVSS score of 7.8 (HIGH). CVE-2022-38777 is a privilege escalation vulnerability in Elastic Endpoint Security for Windows. Unprivileged users can exploit the rollback feature to gain LocalSystem account privileges. This affects Elastic Endpoint Security installations on Windows systems.

📋 TL;DR

CVE-2022-38777 is a privilege escalation vulnerability in Elastic Endpoint Security for Windows. Unprivileged users can exploit the rollback feature to gain LocalSystem account privileges. This affects Elastic Endpoint Security installations on Windows systems.

💻 Affected Systems

Products:

Elastic Endpoint Security

Versions: Versions before 7.17.9, 8.5.0, and 8.6.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Elastic Endpoint Security for Windows installations. Other Elastic products and platforms are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full LocalSystem privileges, allowing complete system compromise, data theft, malware installation, and persistence establishment.

🟠

Likely Case

Local attackers escalate privileges to install additional malware, steal credentials, or move laterally within the network.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to isolated systems with quick detection and remediation.

🌐 Internet-Facing: LOW - This requires local access to the system, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires local user access but no special privileges. The vulnerability is in the rollback feature implementation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.17.9, 8.5.0, or 8.6.1

Vendor Advisory: https://discuss.elastic.co/t/elastic-7-17-9-8-5-0-and-8-6-1-security-update/324661

Restart Required: Yes

Instructions:

1. Update Elastic Endpoint Security to version 7.17.9, 8.5.0, or 8.6.1 or later. 2. Restart the system or Elastic Endpoint Security service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Restrict local user access

windows

Limit non-administrative user access to systems running Elastic Endpoint Security

Disable unnecessary rollback features

windows

If rollback functionality is not required, consider disabling it through policy

🧯 If You Can't Patch

Implement strict access controls to limit local user access to affected systems
Monitor for privilege escalation attempts and unusual LocalSystem account activity

🔍 How to Verify

Check if Vulnerable:

Check Elastic Endpoint Security version in the application interface or via PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Elastic Endpoint*'} | Select-Object Name, Version

Check Version:

Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Elastic Endpoint*'} | Select-Object Name, Version

Verify Fix Applied:

Confirm version is 7.17.9, 8.5.0, 8.6.1 or later using the same command

📡 Detection & Monitoring

Log Indicators:

Unusual rollback operations in Elastic Endpoint logs
Privilege escalation attempts in Windows Security logs
Unexpected LocalSystem account activity

Network Indicators:

Unusual outbound connections from systems after privilege escalation

SIEM Query:

source="windows-security" EventID=4672 AND SubjectUserName NOT IN ("SYSTEM", "Administrator") AND PrivilegeList="SeDebugPrivilege"

📊 Metadata

CVE ID: CVE-2022-38777

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: February 8, 2023

Last Updated: March 25, 2025

🔗 References

https://discuss.elastic.co/t/elastic-7-17-9-8-5-0-and-8-6-1-security-update/324661 Release Notes,Vendor Advisory
https://www.elastic.co/community/security Vendor Advisory
https://discuss.elastic.co/t/elastic-7-17-9-8-5-0-and-8-6-1-security-update/324661 Release Notes,Vendor Advisory
https://www.elastic.co/community/security Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-38777, you might also want to check these: