Known Active Exploitation of Windows CSRSS Elevation of Privilege Vulnerability (CVE-2022-22047)


FortiGuard Labs is aware of a newly reported and actively exploited zero day targeting Microsoft Windows and Windows Server (Windows CSRSS Elevation of Privilege Vulnerability). Assigned CVE-2022-22047, this vulnerability was discovered by Microsoft internally and credited to the Microsoft Security Response Center. As this vulnerability was disclosed by Microsoft, details surrounding this exploit are limited. Attackers successfully exploiting this vulnerability will gain SYSTEM privileges. Patches for this vulnerability were rolled out in this month's July 2022 release, which addresses 84 known vulnerabilities.

US-CERT (CISA) has added CVE-2022-22047 to its recently published Known Exploited Vulnerabilities Catalog. A link can be found in the APPENDIX section.

Is this Being Exploited in the Wild?

Yes. Microsoft has confirmed reports of active exploitation.

How Serious of a Vulnerability is this?

Medium. This is due to the vulnerability not being remotely exploitable and a patch being available.

What is the CVSS score for this issue?


Is this Vulnerability Remotely Exploitable?

No. This is a local vulnerability.

How is this Vulnerability Actively Being Exploited if it is a Local Vulnerability?

Although there is no further information on exploitation released by Microsoft, it can be surmised that an unknown remote code execution allowed for an attacker to perform lateral movement and escalate privileges on machines vulnerable to CVE-2022-22047, ultimately allowing for SYSTEM privileges.

What Operating Systems are Affected?

Microsoft Windows 7,8,10,11 and Microsoft Windows Server 2012 and 2008 versions are affected.

Is there a Patch Available?

Yes. A patch was included in this months Microsoft July 2022 update.

What Protections are Available?

Fortinet customers running the latest (IPS) definitions are currently protected against CVE-2022-22047 by the following signature: