CVE-2022-44702 Overview
CVE-2022-44702 is a remote code execution vulnerability affecting Microsoft Windows Terminal on Windows 10 and Windows 11 systems. Microsoft published the advisory on December 13, 2022, classifying the issue with a CVSS score of 7.8. Despite the "remote code execution" label, the attack vector is local and requires user interaction, meaning an attacker must convince a user to open or interact with a crafted resource. Successful exploitation allows the attacker to execute arbitrary code in the context of the current user, compromising confidentiality, integrity, and availability.
Critical Impact
Attackers can execute arbitrary code in the user context through Windows Terminal, leading to full compromise of user-accessible data and processes on affected Windows 10 and Windows 11 hosts.
Affected Products
- Microsoft Windows Terminal
- Microsoft Windows 10
- Microsoft Windows 11
Discovery Timeline
- 2022-12-13 - CVE-2022-44702 published to NVD by Microsoft
- 2025-01-02 - Last updated in NVD database
Technical Details for CVE-2022-44702
Vulnerability Analysis
CVE-2022-44702 is a local code execution flaw in Windows Terminal, the modern command-line host shipped with Windows 10 and Windows 11. The CWE assignment in NVD is NVD-CWE-noinfo, and Microsoft has not released detailed root-cause information beyond the advisory. The vulnerability requires a local attack vector with low complexity and no privileges, but does require user interaction such as opening a malicious file, link, or terminal profile.
The EPSS score is approximately 9.756% with a percentile of 93.035, indicating the issue ranks among the more probable-to-be-exploited vulnerabilities tracked by EPSS, even though no public proof-of-concept or in-the-wild exploitation has been confirmed. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Root Cause
Microsoft has not publicly disclosed the precise defect, and the CWE classification remains NVD-CWE-noinfo. Based on the advisory metadata, the flaw resides in how Windows Terminal parses or handles attacker-controlled input that ultimately leads to code execution under the invoking user. Refer to the Microsoft Security Advisory CVE-2022-44702 for vendor-provided context.
Attack Vector
Exploitation requires a local vector with user interaction. An attacker delivers a crafted artifact — for example a malicious settings file, profile, URI handler invocation, or document that triggers Windows Terminal — and convinces the target to open it. When the user interacts with the content, Windows Terminal processes the input and executes code chosen by the attacker in the user's security context. No prior authentication on the target is required beyond the user opening the resource.
No verified public exploit code is available. Defenders should treat phishing emails carrying terminal configuration files, shortcut files invoking wt.exe, and ms-terminal: protocol links as plausible delivery channels.
Detection Methods for CVE-2022-44702
Indicators of Compromise
- Unexpected child processes spawned by WindowsTerminal.exe or wt.exe, particularly script interpreters such as powershell.exe, cmd.exe, or wscript.exe.
- Modification of Windows Terminal settings.json from untrusted sources or roaming profile locations.
- Invocations of the ms-terminal: URI handler originating from email clients, browsers, or document readers.
- Outbound network connections initiated by processes launched from Windows Terminal shortly after a user opens an attachment or link.
Detection Strategies
- Build endpoint detection rules that alert on wt.exe or WindowsTerminal.exe spawning living-off-the-land binaries used for download and execution.
- Monitor for the creation or replacement of Windows Terminal configuration files in %LOCALAPPDATA%\Packages\Microsoft.WindowsTerminal_*\LocalState\.
- Correlate URI handler activation events with subsequent process creation and network telemetry to surface social-engineering chains.
Monitoring Recommendations
- Forward Sysmon process creation (Event ID 1) and file creation (Event ID 11) events for terminal-related binaries to your SIEM.
- Track Microsoft Defender or third-party EDR telemetry for unsigned binaries executed from user-writable paths after Windows Terminal launches.
- Audit installed Windows Terminal versions across the fleet to identify hosts running pre-patch builds.
How to Mitigate CVE-2022-44702
Immediate Actions Required
- Apply the Windows Terminal security update referenced in the Microsoft advisory to all Windows 10 and Windows 11 endpoints.
- Inventory hosts where Windows Terminal is installed through the Microsoft Store or as a Windows component and confirm they are on a patched build.
- Restrict execution of untrusted attachments and links that could trigger Windows Terminal protocol handlers.
Patch Information
Microsoft released a fix tracked under the Microsoft Vulnerability CVE-2022-44702 advisory. Update Windows Terminal to the latest version available through the Microsoft Store or via the GitHub release channel, and ensure cumulative Windows updates that ship the component are deployed.
Workarounds
- Disable or unregister the ms-terminal: URI handler on systems where it is not required for business workflows.
- Use application control policies such as Windows Defender Application Control or AppLocker to block execution of wt.exe from non-standard paths.
- Train users to avoid opening unsolicited terminal configuration files, .lnk files, or protocol links from external sources.
# Verify installed Windows Terminal version via PowerShell
Get-AppxPackage -Name Microsoft.WindowsTerminal | Select-Object Name, Version
# Force update of Windows Terminal through the Microsoft Store
start ms-windows-store://downloadsandupdates
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
