Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2022-38028

CVE-2022-38028: Windows 10 Privilege Escalation Flaw

CVE-2022-38028 is a privilege escalation vulnerability in Windows Print Spooler affecting Windows 10 1507 that enables attackers to gain elevated system privileges. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2022-38028 Overview

CVE-2022-38028 is a Windows Print Spooler Elevation of Privilege vulnerability that affects a wide range of Microsoft Windows operating systems, including Windows 8.1, Windows 10, Windows 11, and multiple Windows Server versions. This vulnerability allows an attacker with low privileges to escalate to SYSTEM-level access on affected systems by exploiting weaknesses in the Windows Print Spooler service.

Critical Impact

This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating confirmed active exploitation in the wild. Attackers can leverage this flaw to gain complete control over affected Windows systems.

Affected Products

  • Microsoft Windows 10 (versions 1507, 1607, 1809, 20H2, 21H1, 21H2)
  • Microsoft Windows 11 22H2
  • Microsoft Windows 8.1 and Windows RT 8.1
  • Microsoft Windows Server 2012, 2012 R2, 2016, 2019, and 2022

Discovery Timeline

  • October 11, 2022 - CVE-2022-38028 published to NVD
  • October 30, 2025 - Last updated in NVD database

Technical Details for CVE-2022-38028

Vulnerability Analysis

The Windows Print Spooler service is a critical Windows component responsible for managing print jobs and printer queues. CVE-2022-38028 represents a privilege escalation vulnerability within this service that allows attackers with local access and low-level privileges to elevate their access to SYSTEM-level permissions.

This vulnerability is particularly dangerous because the Print Spooler service runs with SYSTEM privileges by default, and successful exploitation grants attackers the highest level of access on a Windows system. Once SYSTEM-level access is achieved, an attacker can install programs, view, change, or delete data, and create new accounts with full user rights.

The attack requires local access to the target system, meaning an attacker would need to have initial access through another vector such as phishing, malware, or compromised credentials before exploiting this vulnerability.

Root Cause

The root cause of CVE-2022-38028 lies in improper handling of file operations within the Windows Print Spooler service. The vulnerability stems from the Print Spooler's failure to properly validate and restrict file operations, allowing a low-privileged user to manipulate certain files in a way that leads to privilege escalation to SYSTEM level.

Attack Vector

The attack vector for CVE-2022-38028 is local, requiring the attacker to have authenticated access to the target system with low-level user privileges. The attack exploits the Print Spooler service's elevated permissions to perform operations that should not be accessible to standard users.

The exploitation process typically involves:

  1. Gaining initial access to the target Windows system with standard user privileges
  2. Identifying that the Print Spooler service is running (enabled by default on most Windows systems)
  3. Executing a specially crafted payload that interacts with the Print Spooler service
  4. Leveraging the improper file handling to escalate privileges to SYSTEM level

The low attack complexity combined with no user interaction requirement makes this vulnerability highly practical for post-compromise escalation scenarios.

Detection Methods for CVE-2022-38028

Indicators of Compromise

  • Unusual process spawning from the spoolsv.exe Print Spooler service process
  • Unexpected modifications to files in the Windows Print Spooler directories (%SystemRoot%\System32\spool\)
  • Anomalous privilege escalation events correlating with Print Spooler activity
  • Suspicious DLL loading or file operations initiated by low-privileged users targeting Print Spooler components

Detection Strategies

  • Monitor Windows Event Logs for suspicious Print Spooler-related events (Event IDs 316, 808, 811)
  • Implement endpoint detection rules to identify processes spawned with SYSTEM privileges from spoolsv.exe
  • Deploy file integrity monitoring on Print Spooler directories and related system files
  • Utilize behavioral analysis to detect unusual privilege escalation patterns on endpoints

Monitoring Recommendations

  • Enable verbose logging for the Print Spooler service through Group Policy
  • Configure SentinelOne agents to monitor for behavioral indicators associated with Print Spooler exploitation
  • Implement real-time alerting for any SYSTEM-level process creation from spoolsv.exe that is not associated with legitimate print operations
  • Review authentication logs for suspicious local authentication events preceding privilege escalation

How to Mitigate CVE-2022-38028

Immediate Actions Required

  • Apply the Microsoft security update for CVE-2022-38028 immediately on all affected systems
  • If patching is not immediately possible, disable the Print Spooler service on systems where printing is not required
  • Prioritize patching for domain controllers and critical infrastructure servers
  • Conduct a security assessment to identify any systems that may have been compromised prior to patching

Patch Information

Microsoft has released security updates to address CVE-2022-38028. Organizations should apply the appropriate update for their Windows version as documented in the Microsoft Update Guide for CVE-2022-38028. Given the confirmed active exploitation status, this patch should be treated as a priority deployment.

The patch addresses the underlying file handling issues in the Print Spooler service that allow privilege escalation. Organizations should verify successful patch deployment through endpoint management tools and vulnerability scanning.

Workarounds

  • Disable the Print Spooler service on systems that do not require printing functionality using Stop-Service -Name Spooler -Force; Set-Service -Name Spooler -StartupType Disabled
  • Implement network segmentation to limit lateral movement opportunities for attackers who may have exploited this vulnerability
  • Apply the principle of least privilege to limit the number of users with local access to sensitive systems
  • Consider deploying application control policies to restrict unauthorized executables from running
bash
# Disable Print Spooler service via PowerShell
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

# Verify Print Spooler is disabled
Get-Service -Name Spooler | Select-Object Name, Status, StartType

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne