High
CVE-2022-21874
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
High
(1 user assessed)
Low
(1 user assessed)Unknown
Unknown
Unknown
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
Windows Security Center API Remote Code Execution Vulnerability.
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityLow
Technical Analysis
Writeup for this vulnerability is rather interesting and I think a few people may have read the Microsoft advisory somewhat incorrectly.
The attack vector for this is listed as local which is odd given this is listed as an RCE vulnerability in the Windows Security Center API.
However looking at Microsoft’s description closer we can see that the Attack Vector value of Local is also applied if the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability.
Looking further down the assessment we can see the complexity is considered Low, no privileges are required, however User Interaction is marked as Required.
This suggests that it is possible to somehow exploit this vulnerability by either sending the target a request which then opens a prompt that they have to interact with, or by sending them some malicious document which then triggers the vulnerability.
Given this has a high impact on both Confidentiality, Integrity, and Availability I would say this likely gives you pretty high level access should you be able to exploit it successfully.
The patch was likely applied to the wscsvc.dll file given the modification dates and info on the web about how the Windows Security Service works, but I’ll have to do a more in depth analysis to determine what exactly was changed. Hopefully this information is useful for now though.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
Vendors
- Microsoft
Products
- Windows,
- Windows Server,
- Windows 10 Version 1909 for 32-bit Systems,
- Windows 10 Version 1909 for x64-based Systems,
- Windows 10 Version 1909 for ARM64-based Systems,
- Windows 10 Version 21H1 for x64-based Systems,
- Windows 10 Version 21H1 for ARM64-based Systems,
- Windows Server 2022 (Server Core installation),
- Windows 10 Version 21H1 for 32-bit Systems,
- Windows Server 2022,
- Windows 10 Version 20H2 for x64-based Systems,
- Windows 10 Version 20H2 for 32-bit Systems,
- Windows Server, version 20H2 (Server Core Installation),
- Windows 10 Version 20H2 for ARM64-based Systems,
- Windows 11 for x64-based Systems,
- Windows 10 Version 21H2 for 32-bit Systems,
- Windows 11 for ARM64-based Systems,
- Windows 10 Version 21H2 for ARM64-based Systems,
- Windows 10 Version 21H2 for x64-based Systems
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
