Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2022-41125

CVE-2022-41125: Windows 10 Privilege Escalation Flaw

CVE-2022-41125 is a privilege escalation vulnerability in Windows CNG Key Isolation Service affecting Windows 10 1507. Attackers can exploit this flaw to gain elevated privileges. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2022-41125 Overview

CVE-2022-41125 is an elevation of privilege vulnerability in the Windows Cryptography Next Generation (CNG) Key Isolation Service. The flaw stems from an out-of-bounds write condition [CWE-787] in the KeyIso service, which runs in the LSA process and manages long-lived cryptographic keys. A locally authenticated attacker can exploit this issue to elevate privileges to SYSTEM on affected Windows desktop and server platforms. CISA added CVE-2022-41125 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. Microsoft released a fix in the November 2022 Patch Tuesday cycle.

Critical Impact

A local authenticated attacker can achieve SYSTEM-level code execution by abusing the CNG Key Isolation Service, leading to full compromise of confidentiality, integrity, and availability on the host.

Affected Products

  • Microsoft Windows 10 (versions 1507, 1607, 1809, 20H2, 21H1, 21H2, 22H2) and Windows 11 (21H2, 22H2)
  • Microsoft Windows 8.1 and Windows RT 8.1
  • Microsoft Windows Server 2012, 2012 R2, 2016, 2019, and 2022

Discovery Timeline

  • 2022-11-09 - CVE-2022-41125 published to NVD
  • 2022-11-09 - Microsoft releases security patch via November 2022 Patch Tuesday
  • 2025-10-30 - Last updated in NVD database

Technical Details for CVE-2022-41125

Vulnerability Analysis

The Windows CNG Key Isolation Service (keyiso.dll, hosted within lsass.exe) provides isolated storage and operations for private keys used by CNG. The service exposes a set of Local Procedure Call (LPC) interfaces that user-mode processes call to perform cryptographic operations on protected key material. CVE-2022-41125 is an out-of-bounds write [CWE-787] reachable through these interfaces. An attacker with low-privileged local access can craft inputs that cause the service to write data beyond an allocated buffer in the SYSTEM-level process hosting the service. This corruption can be steered to hijack control flow or modify privileged state, resulting in code execution at SYSTEM. The exploitability is notable because the vulnerable code path is reachable from any authenticated user context, including standard non-administrative accounts.

Root Cause

The root cause is improper bounds validation on attacker-controlled input processed by the CNG Key Isolation Service. Insufficient length or size checks before a memory copy operation allow writing beyond the destination buffer boundary, corrupting adjacent memory within the protected process.

Attack Vector

Exploitation requires local access and low-privilege authentication. The attacker invokes the affected CNG Key Isolation LPC interface from a user-mode process with malformed parameters. No user interaction is required. Successful exploitation pivots the attacker from a standard user account to SYSTEM, enabling credential theft, persistence, security tool tampering, and lateral movement.

No public proof-of-concept exploit is available in ExploitDB; however, CISA KEV listing confirms in-the-wild exploitation. Technical details on the specific exploitation primitive have not been publicly published. Refer to the Microsoft Security Update Guide for CVE-2022-41125 for vendor analysis.

Detection Methods for CVE-2022-41125

Indicators of Compromise

  • Unexpected crashes or restarts of lsass.exe correlated with WER (Windows Error Reporting) dumps referencing keyiso.dll or ncrypt.dll.
  • New SYSTEM-level processes spawned from user-context parents shortly after CNG API invocation.
  • Anomalous handle opens to \RPC Control\protected_storage or the CNG Key Isolation LPC ports from unusual processes.
  • Creation of services, scheduled tasks, or registry persistence entries immediately following local privilege transitions.

Detection Strategies

  • Monitor for Event ID 1000 (Application Error) and 1001 (WER) events naming lsass.exe with faulting module keyiso.dll.
  • Correlate Sysmon Event ID 10 (ProcessAccess) events targeting lsass.exe with non-standard access masks from medium-integrity processes.
  • Hunt for child processes of lsass.exe other than the small set of expected Windows binaries, which is highly anomalous.
  • Track Windows Security Event ID 4673 and 4674 for sensitive privilege use that follows local logon events from non-admin users.

Monitoring Recommendations

  • Enable PowerShell and command-line auditing to capture post-exploitation tooling executed at SYSTEM.
  • Forward Sysmon, Security, and Application channel logs to a centralized analytics platform for cross-host correlation.
  • Baseline normal CNG and lsass.exe behavior per host role to surface deviations indicative of exploitation attempts.

How to Mitigate CVE-2022-41125

Immediate Actions Required

  • Apply the November 2022 Microsoft security updates to all affected Windows 10, Windows 11, Windows 8.1, and Windows Server 2012/2016/2019/2022 systems without delay.
  • Prioritize patching of multi-user systems, jump hosts, terminal servers, and domain controllers where local privilege escalation has the largest blast radius.
  • Audit local accounts and restrict interactive logon rights to reduce the population of users able to reach the local attack surface.
  • Validate that endpoint protection is enabled with tamper protection to prevent attackers from disabling sensors post-exploit.

Patch Information

Microsoft addressed CVE-2022-41125 in the November 8, 2022 security updates. Refer to the Microsoft Security Update Guide for CVE-2022-41125 for KB article numbers specific to each affected Windows build. Confirm successful installation by checking the Installed Updates view or querying wmic qfe list for the corresponding KB IDs.

Workarounds

  • No official workaround is published by Microsoft; patching is the required remediation.
  • Reduce exposure by enforcing the principle of least privilege and removing unnecessary local accounts from systems pending patch deployment.
  • Apply application allowlisting (e.g., Windows Defender Application Control or AppLocker) to limit execution of unsigned binaries that could carry exploit code.
bash
# Verify the November 2022 patch is installed on affected Windows hosts
wmic qfe list brief /format:table | findstr /i "KB5019966 KB5019959 KB5019980 KB5019964"

# Confirm CNG Key Isolation Service status
sc query KeyIso

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.