CVE-2022-41975 Overview
CVE-2022-41975 is a local privilege escalation vulnerability affecting RealVNC VNC Server before version 6.11.0 and VNC Viewer before version 6.22.826 on Windows systems. The vulnerability exists in the MSI installer Repair mode functionality, which can be exploited by a local attacker with low privileges to escalate their privileges on the affected system.
Critical Impact
A local attacker with limited privileges can exploit the MSI installer Repair mode to gain elevated privileges, potentially achieving SYSTEM-level access on Windows systems running vulnerable versions of RealVNC products.
Affected Products
- RealVNC VNC Server versions before 6.11.0
- RealVNC VNC Viewer versions before 6.22.826
- Microsoft Windows (all supported versions as the platform)
Discovery Timeline
- 2022-09-30 - CVE-2022-41975 published to NVD
- 2025-05-20 - Last updated in NVD database
Technical Details for CVE-2022-41975
Vulnerability Analysis
This vulnerability falls under the category of Privilege Escalation (CWE-269: Improper Privilege Management). The flaw resides in how the RealVNC MSI installer handles the Repair mode operation on Windows systems. MSI installers on Windows often execute repair operations with elevated privileges (SYSTEM), which can be abused if the installer does not properly validate and secure all operations during the repair process.
When a user triggers the Repair mode for an installed RealVNC product, certain operations may be executed in a privileged context. If an attacker can influence or manipulate resources that the installer accesses during repair (such as file paths, registry keys, or DLL loading behavior), they may be able to hijack the privileged execution context and escalate their privileges.
Root Cause
The root cause of CVE-2022-41975 is improper privilege management within the MSI installer Repair mode functionality. The installer fails to adequately restrict or validate operations that occur during the repair process, allowing a local attacker to leverage the elevated execution context of the repair operation. This type of vulnerability commonly occurs when installers perform file operations or load libraries from locations that a lower-privileged user can modify.
Attack Vector
This is a local attack vector vulnerability, requiring the attacker to have existing access to the target Windows system with at least low-level privileges. The attack scenario involves:
- The attacker identifies that a vulnerable version of RealVNC VNC Server or VNC Viewer is installed
- The attacker triggers or waits for the MSI installer Repair mode to be invoked
- During the repair process, the attacker exploits the improper privilege handling to execute code or operations in an elevated context
- The attacker achieves privilege escalation, potentially gaining SYSTEM-level access
Since this vulnerability requires local access and low privileges, it is typically exploited as part of a multi-stage attack where initial access has already been obtained through other means.
Detection Methods for CVE-2022-41975
Indicators of Compromise
- Unexpected invocation of msiexec.exe with repair mode parameters (/fa, /fo, /fm, /fu, /fp) targeting RealVNC installer packages
- Unusual process creation events where child processes spawn from msiexec.exe with elevated privileges
- Modifications to RealVNC installation directories or files by non-administrative users
- Suspicious file or DLL creation in installer-related temporary directories
Detection Strategies
- Monitor Windows Event Logs for MSI installer repair operations involving RealVNC products (Event ID 1033, 1034, 11707, 11724)
- Implement endpoint detection rules to alert on msiexec.exe execution with repair flags combined with RealVNC product codes
- Use SentinelOne's Behavioral AI to detect privilege escalation patterns associated with MSI installer abuse
- Deploy file integrity monitoring on RealVNC installation directories
Monitoring Recommendations
- Enable and centralize Windows Installer logs for analysis (MsiInstaller event source)
- Configure endpoint detection to alert on suspicious child process spawning from msiexec.exe with SYSTEM privileges
- Implement SentinelOne's real-time process monitoring to track MSI repair operations and associated privilege contexts
- Review audit logs for repair mode invocations on systems with RealVNC products installed
How to Mitigate CVE-2022-41975
Immediate Actions Required
- Update RealVNC VNC Server to version 6.11.0 or later immediately
- Update RealVNC VNC Viewer to version 6.22.826 or later immediately
- Audit systems to identify all instances of vulnerable RealVNC product versions
- Apply the principle of least privilege to limit which users can invoke MSI repair operations
Patch Information
RealVNC has addressed this vulnerability in VNC Server version 6.11.0 and VNC Viewer version 6.22.826. Organizations should download and apply the latest versions from RealVNC's official channels. Detailed release information is available in the RealVNC Release Notes.
Workarounds
- Restrict local user access to MSI repair functionality using Group Policy or Software Restriction Policies
- Implement application whitelisting to control which users can execute msiexec.exe with repair parameters
- Monitor and audit MSI installer operations using Windows Installer logging policies
- Consider temporarily uninstalling vulnerable RealVNC products until patches can be applied in high-security environments
# Verify installed RealVNC version (PowerShell)
Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*VNC*" } | Select-Object Name, Version
# Enable verbose MSI logging for detection (via Registry)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v Logging /t REG_SZ /d "voicewarmupx" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
