CVE-2022-4956 – CVE-2022-4956 is a critical local privilege esc... (How to Fix)

Q: What is the severity of CVE-2022-4956?

CVE-2022-4956 has a CVSS score of 7.8 (HIGH). CVE-2022-4956 is a critical local privilege escalation vulnerability in Caphyon Advanced Installer 19.7 that allows attackers to execute arbitrary code with elevated privileges by exploiting an uncontrolled search path in the WinSxS DLL handler. This affects users running Advanced Installer 19.7 on Windows systems. Attackers must have local access to exploit this vulnerability.

📋 TL;DR

CVE-2022-4956 is a critical local privilege escalation vulnerability in Caphyon Advanced Installer 19.7 that allows attackers to execute arbitrary code with elevated privileges by exploiting an uncontrolled search path in the WinSxS DLL handler. This affects users running Advanced Installer 19.7 on Windows systems. Attackers must have local access to exploit this vulnerability.

💻 Affected Systems

Products:

Caphyon Advanced Installer

Versions: Version 19.7 only

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Advanced Installer 19.7; earlier versions and version 19.7.1 are not vulnerable. Requires Windows operating system.

📦 What is this software?

Advanced Installer by Caphyon

View all CVEs affecting Advanced Installer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM/administrator privileges, allowing installation of persistent malware, credential theft, and complete control of the affected system.

🟠

Likely Case

Local privilege escalation from a standard user account to administrator/SYSTEM privileges, enabling lateral movement within the network and installation of additional malicious software.

🟢

If Mitigated

Limited impact if proper access controls prevent local execution by untrusted users and endpoint protection detects DLL hijacking attempts.

🌐 Internet-Facing: LOW - Requires local access to exploit; cannot be triggered remotely over the internet.

🏢 Internal Only: HIGH - Internal attackers or compromised user accounts can exploit this to gain administrative privileges and move laterally within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly disclosed and the vulnerability is relatively straightforward to exploit with local access. Requires some user interaction or existing local access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 19.7.1

Vendor Advisory: https://www.advancedinstaller.com/release-19.7.1.html#bugfixes

Restart Required: No

Instructions:

1. Download Advanced Installer 19.7.1 from the official website. 2. Run the installer to upgrade from version 19.7. 3. Verify the installation completed successfully. 4. No system restart is required.

🔧 Temporary Workarounds

Restrict DLL search path

windows

Configure Windows to restrict DLL search paths using SafeDllSearchMode or SetDefaultDllDirectories API

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f

Remove vulnerable version

windows

Uninstall Advanced Installer 19.7 if not needed

appwiz.cpl
Select 'Advanced Installer' and click Uninstall

🧯 If You Can't Patch

Restrict local access to systems running Advanced Installer 19.7 to trusted users only
Implement application whitelisting to prevent execution of unauthorized DLLs

🔍 How to Verify

Check if Vulnerable:

Check Advanced Installer version: Open Advanced Installer → Help → About. If version is exactly 19.7, the system is vulnerable.

Check Version:

wmic product where name="Advanced Installer" get version

Verify Fix Applied:

After patching, verify version shows 19.7.1 in Help → About menu.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing DLL loading from unexpected directories
Process creation events for Advanced Installer with suspicious parent processes

Network Indicators:

No network indicators as this is a local exploit

SIEM Query:

EventID=4688 AND ProcessName="AdvancedInstaller.exe" AND ParentProcessName NOT IN ("explorer.exe", "cmd.exe")

📊 Metadata

CVE ID: CVE-2022-4956

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: September 30, 2023

Last Updated: November 21, 2024

🔗 References

https://heegong.github.io/posts/Advaned-Installer-Local-Privilege-Escalation-Vulnerability/ Exploit,Third Party Advisory
https://vuldb.com/?ctiid.240903 Permissions Required
https://vuldb.com/?id.240903 Third Party Advisory
https://www.advancedinstaller.com/release-19.7.1.html#bugfixes Release Notes
https://heegong.github.io/posts/Advaned-Installer-Local-Privilege-Escalation-Vulnerability/ Exploit,Third Party Advisory
https://vuldb.com/?ctiid.240903 Permissions Required
https://vuldb.com/?id.240903 Third Party Advisory
https://www.advancedinstaller.com/release-19.7.1.html#bugfixes Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-4956, you might also want to check these: