CVE-2022-30166 Overview
CVE-2022-30166 is a privilege escalation vulnerability in the Windows Local Security Authority Subsystem Service (LSASS), a critical system process responsible for enforcing security policy on Windows systems. This vulnerability allows a locally authenticated attacker to elevate their privileges to SYSTEM level, gaining complete control over the affected Windows machine.
Critical Impact
An attacker with low-privilege local access can exploit this vulnerability in LSASS to gain SYSTEM-level privileges, potentially compromising the entire Windows system and any sensitive data or credentials it manages.
Affected Products
- Microsoft Windows 10 (all versions including 1607, 1809, 20H2, 21H1, 21H2)
- Microsoft Windows 11 (ARM64 and x64)
- Microsoft Windows 7 SP1
- Microsoft Windows 8.1
- Microsoft Windows RT 8.1
- Microsoft Windows Server 2008 SP2 and R2 SP1
- Microsoft Windows Server 2012 and R2
- Microsoft Windows Server 2016 (including 20H2)
- Microsoft Windows Server 2019
- Microsoft Windows Server 2022 (including Azure edition)
Discovery Timeline
- 2022-06-15 - CVE-2022-30166 published to NVD
- 2025-01-02 - Last updated in NVD database
Technical Details for CVE-2022-30166
Vulnerability Analysis
This vulnerability affects the Local Security Authority Subsystem Service (LSASS), specifically in the LsapGetClientInfo function where an improper impersonation level check occurs. LSASS is a fundamental Windows component that handles user authentication, password changes, and security token creation. Due to the privileged nature of this service, any flaw that allows unauthorized privilege escalation represents a significant security risk.
The vulnerability enables attackers who have already gained initial access to a Windows system with low-level privileges to escalate to SYSTEM-level access. This type of local privilege escalation is particularly dangerous in enterprise environments where attackers may initially compromise a workstation through phishing or other means and then need to escalate privileges for lateral movement.
Root Cause
The root cause of this vulnerability lies in an improper impersonation level check within the LsapGetClientInfo function of the LSASS service. When processing certain requests, the service fails to properly validate the impersonation level of the calling process, allowing an attacker to bypass intended security restrictions. This insufficient verification allows lower-privileged processes to perform operations that should be restricted to higher-privileged accounts.
Attack Vector
The attack requires local access to the target system. An attacker must first gain authenticated access to a Windows machine with low-level user privileges. Once on the system, they can exploit the impersonation level check bypass in LsapGetClientInfo to elevate their privileges to SYSTEM. The exploitation does not require user interaction and can be performed with low attack complexity, making it a practical target for post-compromise activities.
The vulnerability leverages improper impersonation level validation in the LSASS service. When a low-privileged process calls certain LSASS functions, the LsapGetClientInfo routine fails to properly verify that the caller has appropriate impersonation privileges. This allows the attacker's process to assume SYSTEM-level context, effectively bypassing Windows security boundaries. For detailed technical analysis, refer to the Packet Storm security advisory.
Detection Methods for CVE-2022-30166
Indicators of Compromise
- Unusual process activity involving lsass.exe or unexpected child processes spawned from LSASS
- Abnormal access patterns to LSASS memory or handles from non-administrative processes
- Security event logs showing privilege escalation attempts or token manipulation events
- Processes running as SYSTEM that originated from low-privileged user sessions
Detection Strategies
- Monitor for unusual LSASS behavior including unexpected API calls to LsapGetClientInfo or related functions
- Implement Windows Security Event monitoring for Event ID 4673 (Sensitive Privilege Use) and Event ID 4672 (Special privileges assigned to new logon)
- Deploy endpoint detection rules to identify privilege escalation patterns targeting Windows authentication subsystems
- Use SentinelOne's behavioral AI to detect anomalous process elevation patterns
Monitoring Recommendations
- Enable enhanced logging for Windows Security Events related to authentication and privilege use
- Configure alerts for any unexpected processes obtaining SYSTEM-level tokens
- Monitor for lateral movement attempts following potential exploitation
- Implement continuous vulnerability assessment to identify unpatched systems
How to Mitigate CVE-2022-30166
Immediate Actions Required
- Apply the June 2022 Microsoft security updates immediately on all affected Windows systems
- Prioritize patching domain controllers and systems containing sensitive data
- Audit user access rights and remove unnecessary local access privileges
- Implement network segmentation to limit potential lateral movement
Patch Information
Microsoft has released security updates to address this vulnerability as part of the June 2022 Patch Tuesday release. Organizations should apply the appropriate update for their Windows version by visiting the Microsoft Security Update Guide for CVE-2022-30166. The patches address the improper impersonation level check in the LsapGetClientInfo function.
Workarounds
- Enforce strict least-privilege policies to limit local user access on critical systems
- Implement application control policies to restrict unauthorized executable code
- Enable Windows Defender Credential Guard on supported systems to protect LSASS
- Deploy SentinelOne endpoint protection for real-time detection and prevention of exploitation attempts
# Enable Credential Guard via Group Policy (for supported systems)
# Configure via Local Group Policy Editor: Computer Configuration > Administrative Templates > System > Device Guard
# Enable "Turn On Virtualization Based Security" and configure LSASS protection
# Verify Credential Guard status
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | Select-Object SecurityServicesRunning
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
