CVE-2022-21919 Overview
CVE-2022-21919 is an Elevation of Privilege vulnerability affecting the Windows User Profile Service across a wide range of Microsoft Windows operating systems. This vulnerability allows an authenticated attacker with local access to exploit improper link resolution (CWE-59: Improper Link Resolution Before File Access) within the User Profile Service to elevate their privileges on the affected system.
The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating that it has been actively exploited in the wild. Organizations using affected Windows versions should treat remediation of this vulnerability as a high priority.
Critical Impact
Active exploitation confirmed - A local attacker with low privileges can exploit this symlink vulnerability in the Windows User Profile Service to gain elevated privileges, potentially achieving SYSTEM-level access on affected Windows systems.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 1909, 20H2, 21H1, 21H2)
- Microsoft Windows 11 21H2
- Microsoft Windows 7 SP1, Windows 8.1, Windows RT 8.1
- Microsoft Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, 20H2
Discovery Timeline
- January 11, 2022 - CVE-2022-21919 published to NVD
- October 30, 2025 - Last updated in NVD database
Technical Details for CVE-2022-21919
Vulnerability Analysis
The Windows User Profile Service (ProfSvc) is responsible for loading and unloading user profiles during logon and logoff events. CVE-2022-21919 exists due to improper handling of symbolic links (symlinks) within the service, classified under CWE-59 (Improper Link Resolution Before File Access, commonly known as "Link Following").
The vulnerability requires local access to the target system and an authenticated user account with low privileges. While the attack complexity is considered high due to the specific conditions required for successful exploitation, the potential impact is significant. Successful exploitation allows an attacker to escalate privileges, potentially gaining SYSTEM-level access and achieving complete compromise of confidentiality, integrity, and availability on the affected system.
Root Cause
The root cause of this vulnerability is improper validation of symbolic links by the Windows User Profile Service before performing file access operations. The service fails to adequately verify the destination of symbolic links, allowing an attacker to create malicious symlinks that redirect file operations to arbitrary locations with elevated privileges.
This type of vulnerability, known as a symlink attack or link following vulnerability, occurs when a privileged process follows a symbolic link created by an unprivileged user, inadvertently performing operations with elevated permissions on files or directories the attacker should not have access to.
Attack Vector
The attack requires local access to the affected system with valid user credentials. An attacker must be able to execute code on the target system and create symbolic links in specific locations. The exploitation involves:
- Creating a carefully crafted symbolic link in a location accessible to the attacker
- Triggering the Windows User Profile Service to perform operations that follow the malicious symlink
- Exploiting the privileged context of the service to perform actions with elevated permissions
The vulnerability mechanism involves race conditions and precise timing of symlink creation to exploit the window between the service checking a path and performing operations on it. This symlink-based privilege escalation technique targets the privileged operations of the User Profile Service during profile loading or related file system operations. Detailed technical information is available in the Microsoft Security Advisory.
Detection Methods for CVE-2022-21919
Indicators of Compromise
- Unusual symbolic link creation in user profile directories or temporary folders
- Unexpected file system activity by the profsvc.dll component or User Profile Service
- Privilege escalation events where low-privilege users gain SYSTEM or Administrator access
- Anomalous process creation with elevated privileges following user profile operations
Detection Strategies
- Monitor for symlink creation in sensitive directories using file system auditing (Event ID 4663)
- Implement endpoint detection rules for suspicious User Profile Service behavior
- Deploy behavioral analysis to detect privilege escalation patterns following file operations
- Configure SIEM rules to correlate user logon events with unexpected privilege changes
Monitoring Recommendations
- Enable Windows Security Event logging for file system operations and audit symlink-related activities
- Monitor the svchost.exe process hosting ProfSvc for anomalous child process creation
- Track object access events in user profile directories (%USERPROFILE%, %SystemDrive%\Users\)
- Implement SentinelOne behavioral AI to detect exploitation attempts in real-time
How to Mitigate CVE-2022-21919
Immediate Actions Required
- Apply Microsoft security updates addressing CVE-2022-21919 immediately
- Prioritize patching on systems where the vulnerability poses highest risk (multi-user systems, terminal servers)
- Review and restrict local user permissions where possible to limit attack surface
- Enable advanced auditing to detect potential exploitation attempts
Patch Information
Microsoft has released security updates to address this vulnerability as part of their regular Patch Tuesday releases. Administrators should apply the appropriate update for their Windows version as documented in the Microsoft Update Guide for CVE-2022-21919.
Due to the confirmed active exploitation tracked by CISA, organizations should treat this patch as a critical priority. The vulnerability affects virtually all supported Windows client and server versions, requiring a comprehensive patching effort across enterprise environments.
Workarounds
- Restrict local logon rights to trusted users only on sensitive systems
- Implement application control policies to limit execution of unauthorized code
- Use Windows Defender Credential Guard and other virtualization-based security features where available
- Deploy endpoint protection solutions like SentinelOne to detect and prevent exploitation attempts
# Enable auditing for object access to detect symlink exploitation attempts
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Handle Manipulation" /success:enable /failure:enable
# Verify current audit policy settings
auditpol /get /category:"Object Access"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
