CVE-2022-24500 Overview
CVE-2022-24500 is a remote code execution vulnerability affecting the Server Message Block (SMB) implementation across supported Microsoft Windows client and server versions. Microsoft disclosed the issue on April 15, 2022, and assigned it a CVSS 3.1 base score of 8.8. Exploitation requires user interaction over the network, after which an attacker can run arbitrary code with the privileges of the affected user. The vulnerability impacts confidentiality, integrity, and availability, and applies to environments where SMB client or server traffic crosses untrusted boundaries.
Critical Impact
Successful exploitation enables attacker-controlled code execution on the targeted Windows host, putting domain credentials, file shares, and lateral movement paths at risk.
Affected Products
- Microsoft Windows 10, Windows 11, Windows 7 SP1, Windows 8.1, and Windows RT 8.1
- Microsoft Windows Server 2008, Server 2012, Server 2016, Server 2019, and Server 2022
- All listed CPE entries covering ARM64 and x64 architectures across feature updates 1607, 1809, 1909, 20H2, 21H1, and 21H2
Discovery Timeline
- 2022-04-15 - CVE-2022-24500 published to the National Vulnerability Database
- 2022-04-15 - Microsoft releases security update guidance for CVE-2022-24500
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-24500
Vulnerability Analysis
The flaw resides in the Windows SMB stack, which handles file and printer sharing, named pipes, and inter-process communication across Windows systems. An attacker reachable over the network can trigger code execution after a user interacts with attacker-controlled SMB content, such as connecting to a malicious SMB share or opening a crafted resource. The bug carries a Network attack vector with Low complexity and no required privileges, but the User Interaction requirement constrains fully unauthenticated wormable exploitation. Microsoft classifies the issue under NVD-CWE-noinfo because detailed root-cause information was not published. Successful exploitation grants the attacker the rights of the targeted process or user, which on server roles can include elevated service contexts.
Root Cause
Microsoft has not publicly disclosed the specific memory safety or parsing defect underlying CVE-2022-24500. The advisory categorizes the issue as remote code execution within the SMB component, indicating improper handling of crafted SMB protocol traffic. Refer to the Microsoft Security Update for CVE-2022-24500 for vendor-supplied technical context and component mapping.
Attack Vector
Exploitation requires an attacker to host a malicious SMB endpoint and induce a target user to connect to it. The connection can be triggered through phishing, crafted documents containing UNC paths, or social engineering that points the victim at \\attacker\share style resources. Once the SMB session is established, the attacker delivers the malicious protocol payload that triggers the code execution condition. The EPSS score of 44.661% and 97.617 percentile indicate elevated likelihood of exploit activity compared with the broader CVE population.
Detection Methods for CVE-2022-24500
Indicators of Compromise
- Outbound SMB (TCP 445) connections from workstations to external or untrusted IP addresses
- Unexpected child processes spawned by svchost.exe, explorer.exe, or Office applications following UNC path interaction
- New scheduled tasks, services, or persistence artifacts created shortly after SMB activity to an unfamiliar host
Detection Strategies
- Hunt for processes resolving UNC paths to external hosts, correlated with subsequent process creation or in-memory module loads
- Alert on Windows Defender or AV detections involving SMB-delivered payloads or LSASS access from unusual parents
- Review Sysmon Event IDs 3 (network connection) and 1 (process create) for SMB sessions immediately preceding code execution
Monitoring Recommendations
- Block egress on TCP 445 and 139 at the perimeter and log any policy violations
- Monitor authentication logs for anomalous NTLM activity tied to outbound SMB connections
- Centralize endpoint and network telemetry to correlate phishing delivery, UNC resolution, and post-exploitation behavior
How to Mitigate CVE-2022-24500
Immediate Actions Required
- Apply the April 2022 Microsoft security updates referenced in the MSRC advisory to all affected Windows client and server builds
- Inventory hosts still running Windows 7 SP1, Windows 8.1, and Server 2008/2008 R2 and prioritize patching or isolation
- Restrict outbound SMB traffic from user workstations to the internet using firewall and host-based rules
Patch Information
Microsoft published fixes for CVE-2022-24500 on April 15, 2022. Administrators should deploy the cumulative updates listed in the Microsoft Security Update for CVE-2022-24500 using Windows Update, WSUS, Microsoft Update Catalog, or supported endpoint management tooling.
Workarounds
- Block TCP ports 139 and 445 at the network perimeter to prevent outbound SMB exploitation traffic
- Disable SMBv1 and enforce SMB signing and encryption where supported on SMBv2/SMBv3
- Apply Group Policy or AppLocker rules that prevent users from launching content delivered through untrusted UNC paths
# Disable SMBv1 and block outbound SMB on Windows hosts
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
New-NetFirewallRule -DisplayName "Block Outbound SMB 445" -Direction Outbound -Action Block -Protocol TCP -RemotePort 445
New-NetFirewallRule -DisplayName "Block Outbound SMB 139" -Direction Outbound -Action Block -Protocol TCP -RemotePort 139
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
