CVE-2022-22047: Windows CSRSS Privilege Escalation Flaw

CVE-2022-22047 Overview

CVE-2022-22047 is an elevation of privilege vulnerability in the Windows Client Server Run-time Subsystem (CSRSS). An authenticated local attacker can exploit the flaw to gain SYSTEM-level privileges on affected Windows client and server platforms. Microsoft addressed the issue in the July 2022 Patch Tuesday release. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The weakness is classified under [CWE-426] Untrusted Search Path. The vulnerability affects a wide range of supported Windows versions, from Windows 7 and Server 2008 through Windows 11 and Server 2022.

Critical Impact

Successful exploitation grants SYSTEM privileges on the local host, enabling full compromise of the affected Windows system and a foothold for lateral movement.

Affected Products

• Microsoft Windows 10 (1507, 1607, 1809, 20H2, 21H1, 21H2) and Windows 11 21H2
• Microsoft Windows 7 SP1, Windows 8.1, and Windows RT 8.1
• Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, and Server 20H2

Discovery Timeline

• 2022-07-12 - CVE-2022-22047 published to NVD and addressed in Microsoft July 2022 security updates
• 2025-10-30 - Last updated in NVD database

Technical Details for CVE-2022-22047

Vulnerability Analysis

The vulnerability resides in the Client Server Run-time Subsystem (csrss.exe), a core Windows component that runs as a protected SYSTEM process. CSRSS handles console windows, process and thread management, and provides services to user-mode applications via the Windows subsystem. A flaw in how CSRSS processes input from lower-privileged processes allows an attacker who has already executed code on the host to escalate to SYSTEM. Microsoft categorized the issue as an elevation of privilege requiring local access and low privileges, with no user interaction required. CISA's inclusion in the KEV catalog confirms that threat actors have weaponized the issue in real intrusions.

Root Cause

The weakness maps to [CWE-426] Untrusted Search Path, where a high-privileged process resolves a resource using a search path influenced by a lower-privileged actor. In the context of CSRSS, an attacker can manipulate the resolution path used by the subsystem so that an attacker-controlled component is loaded and executed in the SYSTEM-level CSRSS process context.

Attack Vector

Exploitation requires local code execution as a standard user. The attacker stages a malicious resource where the privileged CSRSS process will resolve and load it, causing the attacker-controlled code path to execute with SYSTEM authority. Because the attack vector is local and complexity is low, the technique is well suited as a post-exploitation step following initial access via phishing, malicious documents, or commodity loaders. Detailed exploitation specifics are referenced in the Microsoft Security Update Guide and the CISA KEV catalog.

Detection Methods for CVE-2022-22047

Indicators of Compromise

• Unexpected child processes spawned by csrss.exe, particularly command shells (cmd.exe, powershell.exe) or LOLBins.
• New SYSTEM-context processes appearing shortly after a standard user process executes, indicating a privilege transition.
• Suspicious files written to directories that may be referenced by CSRSS resource resolution, followed by privileged execution.

Detection Strategies

• Hunt for anomalous parent-child relationships involving csrss.exe across Windows endpoint telemetry.
• Correlate user-mode process activity with sudden token elevation events (Event ID 4672 - special privileges assigned to new logon) tied to processes that should not run as SYSTEM.
• Apply behavioral analytics to flag local privilege escalation patterns, such as standard-user processes performing actions that require SYSTEM rights immediately after spawning helper binaries.

Monitoring Recommendations

• Enable Sysmon Event ID 1 (process creation) and Event ID 11 (file create) to capture CSRSS-related activity and file drops in sensitive directories.
• Forward Windows Security and Sysmon logs to a centralized SIEM or data lake for cross-host correlation.
• Monitor patch compliance for the July 2022 Microsoft cumulative updates across all Windows endpoints and servers.

How to Mitigate CVE-2022-22047

Immediate Actions Required

• Apply the July 2022 (or later) Microsoft cumulative security update to all affected Windows client and server systems.
• Prioritize patching on multi-user systems, terminal servers, and any host accessible to non-administrative users.
• Audit endpoints for prior compromise given that CVE-2022-22047 is listed in the CISA KEV catalog as actively exploited.

Patch Information

Microsoft released fixes as part of the July 12, 2022 Patch Tuesday release. Administrators should consult the Microsoft Security Update Guide for CVE-2022-22047 for KB article numbers specific to each Windows version and deploy through Windows Update, WSUS, or Microsoft Endpoint Configuration Manager.

Workarounds

• No vendor-supplied workaround exists; patching is the only supported remediation.
• Reduce risk by enforcing least-privilege access, restricting interactive logon to trusted users, and applying application allowlisting to limit attacker code execution prerequisites.
• Isolate unpatched legacy systems (such as Windows 7 or Server 2008) using network segmentation until updates are applied.

# Verify installation of the July 2022 cumulative update on Windows
wmic qfe list brief /format:table

# PowerShell: list installed hotfixes filtered by July 2022
Get-HotFix | Where-Object { $_.InstalledOn -ge [datetime]'2022-07-12' }