CVE-2022-41125 Overview
CVE-2022-41125 is an elevation of privilege vulnerability in the Windows Cryptography Next Generation (CNG) Key Isolation Service. The flaw stems from an out-of-bounds write condition [CWE-787] in the KeyIso service, which runs in the LSA process and manages long-lived cryptographic keys. A locally authenticated attacker can exploit this issue to elevate privileges to SYSTEM on affected Windows desktop and server platforms. CISA added CVE-2022-41125 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. Microsoft released a fix in the November 2022 Patch Tuesday cycle.
Critical Impact
A local authenticated attacker can achieve SYSTEM-level code execution by abusing the CNG Key Isolation Service, leading to full compromise of confidentiality, integrity, and availability on the host.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 20H2, 21H1, 21H2, 22H2) and Windows 11 (21H2, 22H2)
- Microsoft Windows 8.1 and Windows RT 8.1
- Microsoft Windows Server 2012, 2012 R2, 2016, 2019, and 2022
Discovery Timeline
- 2022-11-09 - CVE-2022-41125 published to NVD
- 2022-11-09 - Microsoft releases security patch via November 2022 Patch Tuesday
- 2025-10-30 - Last updated in NVD database
Technical Details for CVE-2022-41125
Vulnerability Analysis
The Windows CNG Key Isolation Service (keyiso.dll, hosted within lsass.exe) provides isolated storage and operations for private keys used by CNG. The service exposes a set of Local Procedure Call (LPC) interfaces that user-mode processes call to perform cryptographic operations on protected key material. CVE-2022-41125 is an out-of-bounds write [CWE-787] reachable through these interfaces. An attacker with low-privileged local access can craft inputs that cause the service to write data beyond an allocated buffer in the SYSTEM-level process hosting the service. This corruption can be steered to hijack control flow or modify privileged state, resulting in code execution at SYSTEM. The exploitability is notable because the vulnerable code path is reachable from any authenticated user context, including standard non-administrative accounts.
Root Cause
The root cause is improper bounds validation on attacker-controlled input processed by the CNG Key Isolation Service. Insufficient length or size checks before a memory copy operation allow writing beyond the destination buffer boundary, corrupting adjacent memory within the protected process.
Attack Vector
Exploitation requires local access and low-privilege authentication. The attacker invokes the affected CNG Key Isolation LPC interface from a user-mode process with malformed parameters. No user interaction is required. Successful exploitation pivots the attacker from a standard user account to SYSTEM, enabling credential theft, persistence, security tool tampering, and lateral movement.
No public proof-of-concept exploit is available in ExploitDB; however, CISA KEV listing confirms in-the-wild exploitation. Technical details on the specific exploitation primitive have not been publicly published. Refer to the Microsoft Security Update Guide for CVE-2022-41125 for vendor analysis.
Detection Methods for CVE-2022-41125
Indicators of Compromise
- Unexpected crashes or restarts of lsass.exe correlated with WER (Windows Error Reporting) dumps referencing keyiso.dll or ncrypt.dll.
- New SYSTEM-level processes spawned from user-context parents shortly after CNG API invocation.
- Anomalous handle opens to \RPC Control\protected_storage or the CNG Key Isolation LPC ports from unusual processes.
- Creation of services, scheduled tasks, or registry persistence entries immediately following local privilege transitions.
Detection Strategies
- Monitor for Event ID 1000 (Application Error) and 1001 (WER) events naming lsass.exe with faulting module keyiso.dll.
- Correlate Sysmon Event ID 10 (ProcessAccess) events targeting lsass.exe with non-standard access masks from medium-integrity processes.
- Hunt for child processes of lsass.exe other than the small set of expected Windows binaries, which is highly anomalous.
- Track Windows Security Event ID 4673 and 4674 for sensitive privilege use that follows local logon events from non-admin users.
Monitoring Recommendations
- Enable PowerShell and command-line auditing to capture post-exploitation tooling executed at SYSTEM.
- Forward Sysmon, Security, and Application channel logs to a centralized analytics platform for cross-host correlation.
- Baseline normal CNG and lsass.exe behavior per host role to surface deviations indicative of exploitation attempts.
How to Mitigate CVE-2022-41125
Immediate Actions Required
- Apply the November 2022 Microsoft security updates to all affected Windows 10, Windows 11, Windows 8.1, and Windows Server 2012/2016/2019/2022 systems without delay.
- Prioritize patching of multi-user systems, jump hosts, terminal servers, and domain controllers where local privilege escalation has the largest blast radius.
- Audit local accounts and restrict interactive logon rights to reduce the population of users able to reach the local attack surface.
- Validate that endpoint protection is enabled with tamper protection to prevent attackers from disabling sensors post-exploit.
Patch Information
Microsoft addressed CVE-2022-41125 in the November 8, 2022 security updates. Refer to the Microsoft Security Update Guide for CVE-2022-41125 for KB article numbers specific to each affected Windows build. Confirm successful installation by checking the Installed Updates view or querying wmic qfe list for the corresponding KB IDs.
Workarounds
- No official workaround is published by Microsoft; patching is the required remediation.
- Reduce exposure by enforcing the principle of least privilege and removing unnecessary local accounts from systems pending patch deployment.
- Apply application allowlisting (e.g., Windows Defender Application Control or AppLocker) to limit execution of unsigned binaries that could carry exploit code.
# Verify the November 2022 patch is installed on affected Windows hosts
wmic qfe list brief /format:table | findstr /i "KB5019966 KB5019959 KB5019980 KB5019964"
# Confirm CNG Key Isolation Service status
sc query KeyIso
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
