CVE-2022-48221 – This vulnerability allows a standard user to ac... (How to Fix)

Q: What is the severity of CVE-2022-48221?

CVE-2022-48221 has a CVSS score of 7.5 (HIGH). This vulnerability allows a standard user to achieve SYSTEM-level code execution through a race condition and OpLock manipulation in Acuant AcuFill SDK installers. It affects systems running vulnerable versions of Acuant AcuFill SDK where standard users can write to installer directories. This is an elevation of privilege vulnerability that gives attackers full control of affected systems.

📋 TL;DR

This vulnerability allows a standard user to achieve SYSTEM-level code execution through a race condition and OpLock manipulation in Acuant AcuFill SDK installers. It affects systems running vulnerable versions of Acuant AcuFill SDK where standard users can write to installer directories. This is an elevation of privilege vulnerability that gives attackers full control of affected systems.

💻 Affected Systems

Products:

Acuant AcuFill SDK

Versions: All versions before 10.22.02.03

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires standard user access to the system and vulnerable Acuant AcuFill SDK installation.

📦 What is this software?

Acuant Acufill Sdk by Gbgplc

View all CVEs affecting Acuant Acufill Sdk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full SYSTEM compromise allowing complete control of the affected system, data theft, lateral movement, and persistence establishment.

🟠

Likely Case

Local privilege escalation from standard user to SYSTEM, enabling installation of malware, credential harvesting, and bypassing security controls.

🟢

If Mitigated

Limited impact if proper access controls prevent standard users from writing to installer directories or if vulnerable software is not installed.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring local access.

🏢 Internal Only: HIGH - Standard users on affected systems can escalate to SYSTEM privileges, posing significant internal security risks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and involves race condition timing and OpLock manipulation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.22.02.03 and later

Vendor Advisory: https://acuant.com

Restart Required: Yes

Instructions:

1. Download Acuant AcuFill SDK version 10.22.02.03 or later from Acuant's official website. 2. Uninstall previous vulnerable versions. 3. Install the patched version. 4. Restart the system to ensure all changes take effect.

🔧 Temporary Workarounds

Restrict directory permissions

windows

Modify permissions on Acuant installer directories to prevent standard users from writing to them

icacls "C:\Program Files\Acuant\" /deny Users:(OI)(CI)W

Remove vulnerable software

windows

Uninstall Acuant AcuFill SDK if not required for business operations

appwiz.cpl

🧯 If You Can't Patch

Implement strict access controls to prevent standard users from writing to program installation directories
Monitor for suspicious process execution from Acuant directories and implement application whitelisting

🔍 How to Verify

Check if Vulnerable:

Check Acuant AcuFill SDK version in Programs and Features or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\Acuant\AcuFill SDK

Check Version:

reg query "HKLM\SOFTWARE\Acuant\AcuFill SDK" /v Version

Verify Fix Applied:

Verify installed version is 10.22.02.03 or later and check that standard users cannot write to Acuant installation directories

📡 Detection & Monitoring

Log Indicators:

Process creation events from Acuant directories by non-SYSTEM accounts
File modification events in Acuant installer directories

Network Indicators:

Unusual outbound connections from Acuant processes

SIEM Query:

Process Creation where (ImagePath contains "Acuant" OR CommandLine contains "Acuant") AND (IntegrityLevel != "System" OR User != "SYSTEM")

📊 Metadata

CVE ID: CVE-2022-48221

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-362

Published: April 4, 2023

Last Updated: February 18, 2025

🔗 References

https://acuant.com Not Applicable
https://hackandpwn.com/disclosures/CVE-2022-48221.pdf Third Party Advisory
https://acuant.com Not Applicable
https://hackandpwn.com/disclosures/CVE-2022-48221.pdf Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-48221, you might also want to check these: