Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Local
3

CVE-2022-21906

Disclosure Date: January 11, 2022
CVE-2022-21906 CVSS v3 Base Score: 5.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Validated

Description

Windows Defender Application Control Security Feature Bypass Vulnerability

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Easy to weaponizeGives privileged accessUnauthenticatedVulnerable in default configuration
Technical Analysis

CVE-2022-21906

Microsoft

Vendor

Description

Windows Defender Application Control Security Feature Bypass Vulnerability.
The attacker can execute extremely dangerous apps by using different scenarios,
directly from the user profile, without any reaction from the side of the Windows Defender.
Read more: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21906

The latest version of Windows 10 Pro, plus the latest update!

Reproduce:

href

Proof and Exploit

href

BugCheck after the exploit, the reaction of the kernel:

  • BSOD.exe
1: kd> !analyze
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Unknown bugcheck code (c0000022)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


ERROR_CODE: (NTSTATUS) 0xc0000022 - {Access Denied}  A process has requested access to an object, but has not been granted those access rights.

BUGCHECK_CODE:  c0000022

BUGCHECK_P1: 0

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

PROCESS_NAME:  BSOD.exe

SYMBOL_NAME:  nt!PopTransitionSystemPowerStateEx+1217

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

FAILURE_BUCKET_ID:  STATUS_ACCESS_DENIED_nt!PopTransitionSystemPowerStateEx

FAILURE_ID_HASH:  {7fcb0a96-b639-2e09-82d6-2eef48bdcdea}

Followup:     MachineOwner
---------
  • malicious.exe
0: kd> !analyze
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Unknown bugcheck code (c0000022)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


ERROR_CODE: (NTSTATUS) 0xc0000022 - {Access Denied}  A process has requested access to an object, but has not been granted those access rights.

BUGCHECK_CODE:  c0000022

BUGCHECK_P1: 0

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

PROCESS_NAME:  malicious.exe

SYMBOL_NAME:  nt!PopTransitionSystemPowerStateEx+1217

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

FAILURE_BUCKET_ID:  STATUS_ACCESS_DENIED_nt!PopTransitionSystemPowerStateEx

FAILURE_ID_HASH:  {7fcb0a96-b639-2e09-82d6-2eef48bdcdea}

Followup:     MachineOwner
---------

BR

nu11secur1ty

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
5.5 Medium
Impact Score:
3.6
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
High
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Windows 10 Version 1809 10.0.17763.2452
Windows Server 2019 10.0.17763.2452
Windows Server 2019 (Server Core installation) 10.0.17763.2452
Windows 10 Version 1909 10.0.18363.2037
Windows 10 Version 21H1 10.0.19043.1466
Windows Server 2022 10.0.20348.469
Windows 10 Version 20H2 10.0.19042.1466
Windows Server version 20H2 10.0.19042.1466
Windows 11 version 21H2 10.0.22000.434
Windows 10 Version 21H2 10.0.19044.1466
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • windows 10 1809,
  • windows 10 1909,
  • windows 10 20h2,
  • windows 10 21h1,
  • windows 10 21h2,
  • windows 11 -,
  • windows server 2019 -,
  • windows server 2022,
  • windows server 20h2
Technical Analysis