Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2022-44670

CVE-2022-44670: Windows 10 SSTP RCE Vulnerability

CVE-2022-44670 is a remote code execution vulnerability in Windows 10 Secure Socket Tunneling Protocol (SSTP) that allows attackers to execute arbitrary code. This article covers technical details, affected versions, and mitigations.

Updated:

CVE-2022-44670 Overview

CVE-2022-44670 is a remote code execution vulnerability in the Windows Secure Socket Tunneling Protocol (SSTP) service. The flaw stems from a Time-of-Check Time-of-Use (TOCTOU) race condition tracked under [CWE-367]. An unauthenticated attacker can target an SSTP server over the network and, by winning a race condition, achieve code execution in the context of the SSTP service. Microsoft addressed the issue in the December 2022 Patch Tuesday cycle. The vulnerability affects supported and legacy versions of Windows client and Windows Server, including systems exposing SSTP-based VPN endpoints.

Critical Impact

Successful exploitation grants remote code execution on Windows hosts running the SSTP service, exposing VPN gateways and any Windows endpoint with SSTP enabled.

Affected Products

  • Microsoft Windows 10, Windows 11, Windows 8.1, Windows RT 8.1, and Windows 7 SP1
  • Microsoft Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, and 2022
  • Any Windows host with the SSTP service enabled, including RAS/VPN gateways

Discovery Timeline

  • 2022-12-13 - Microsoft published the security advisory and released the patch
  • 2022-12-13 - CVE-2022-44670 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-44670

Vulnerability Analysis

The Secure Socket Tunneling Protocol (SSTP) tunnels Point-to-Point Protocol (PPP) traffic inside a TLS session over TCP port 443. The SSTP service implementation contains a race condition between the validation of an SSTP control message and its subsequent use. An attacker who repeatedly sends crafted SSTP control packets while the service is processing prior state can cause the service to operate on attacker-modified data after validation has succeeded. Exploitation requires winning the race window, which raises attack complexity but does not require credentials or user interaction.

For full vendor details, see the Microsoft Security Update Guide.

Root Cause

The root cause is a TOCTOU flaw [CWE-367] in SSTP packet handling. The service validates fields in an SSTP control message and later re-reads or dereferences the same memory without re-validation. Concurrent modification of that data between the check and the use leads to memory corruption and control-flow hijack within the SSTP service process.

Attack Vector

The attack vector is network-based. An attacker establishes a TLS connection to an SSTP listener on TCP 443 and transmits crafted control messages that trigger the race condition. Exploitation does not require authentication. Because the SSTP service runs with elevated privileges, successful exploitation results in code execution under the service account on the target host. The vulnerability mechanism is described in prose only — no verified public proof-of-concept code is available.

Detection Methods for CVE-2022-44670

Indicators of Compromise

  • Repeated or malformed SSTP control packets to TCP 443 from a single source within short intervals
  • Unexpected crashes or restarts of the RemoteAccess or SstpSvc service in the Windows event log
  • Child processes spawned by svchost.exe hosting the SSTP service that are inconsistent with normal RAS operation
  • Outbound connections initiated by the SSTP service process to non-standard hosts

Detection Strategies

  • Monitor Windows event logs for SSTP service errors, access violations, and unexpected service restarts on RAS/VPN gateways
  • Inspect network telemetry for high-volume SSTP handshakes or fragmented control messages from external sources
  • Hunt for process anomalies where the SSTP service spawns command interpreters such as cmd.exe or powershell.exe

Monitoring Recommendations

  • Forward RAS and SSTP service logs to a centralized SIEM or data lake and alert on service termination events
  • Track netflow to and from VPN concentrators and baseline normal SSTP connection rates
  • Enable command-line and process-creation auditing on Windows Servers running RAS to surface post-exploitation activity

How to Mitigate CVE-2022-44670

Immediate Actions Required

  • Apply the December 2022 Microsoft security updates for all affected Windows client and Windows Server versions
  • Inventory all hosts exposing SSTP on TCP 443 and prioritize internet-facing VPN gateways for patching
  • Restrict inbound SSTP traffic to known client networks where business requirements permit

Patch Information

Microsoft released fixes on December 13, 2022, as part of the monthly security update cycle. Patch identifiers and KB articles per Windows version are listed in the Microsoft Security Update Guide. Install the cumulative update or standalone security-only package corresponding to the target operating system and reboot.

Workarounds

  • Disable the SSTP VPN protocol on Routing and Remote Access servers if SSTP is not required, leaving IKEv2 or L2TP enabled
  • Block TCP 443 SSTP traffic at the network perimeter for hosts that do not need to serve SSTP clients
  • Place SSTP gateways behind a TLS-terminating reverse proxy that enforces client certificate authentication where supported
bash
# Disable SSTP as an accepted VPN tunnel type on a Windows RRAS server (PowerShell)
Set-VpnServerConfiguration -TunnelType IKEv2
Restart-Service RemoteAccess

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne