You are currently viewing Windows CSRSS Elevation of Privilege Vulnerability Under Active Exploitation: CVE-2022-22047

Windows CSRSS Elevation of Privilege Vulnerability Under Active Exploitation: CVE-2022-22047

Microsoft recently patched a high severity security vulnerability in its July 2022 Patch Tuesday. This wildly exploited security vulnerability is assigned with an identifier CVE-2022-22047 and has a CVSS score of 7.8. This flaw was found by Microsoft’s internal security teams, Microsoft Threat Intelligence Center, and the Microsoft Security Response Center (MSRC). There is not much information available w.r.t POCs on this vulnerability. Soon attackers and security enthusiasts will reverse engineer the patch and would try creating POCs for the same. The flaw is already under active exploitation, although it needs local authentication to the system. The attacker can gain SYSTEM privileges by exploiting the elevation of privilege vulnerability in the Windows Client Server Runtime Subsystem (CSRSS).

About the vulnerability

The bug was initially considered a Zero-Day when it was just announced and was patched later by Microsoft along with its Patch Tuesday updates. This vulnerability arises due to a buffer overflow or boundary error issue in the CSRSS/csrss.exe component of the Windows NT family operating systems. CSRSS is a critical process in the Windows OS as it mainly gets involved in starting and stopping processes or threads, providing the command-line windows console, and powering off the machine. A local user or an attacker who already has access to one of the local accounts can escalate their privileges to run arbitrary code with SYSTEM privileges.

A specially crafted Adobe or Office document can be used as a mode of attack to exploit this vulnerability. The users can be tricked into opening one such document with malicious macros (a series of instructions or commands that can be grouped and run as a single command to achieve a task). On opening such malicious documents, attackers can easily take control of the affected systems. Visual Basic for Applications (VBA) macros are the most common macros used by attackers to carry out such attacks, and these are not blocked in Office apps by default. This is one of the primary reasons why the attack is under active exploitation. However, Microsoft has informed, it would be blocking the use of any such document with VBA macros in its future releases.

Is the vulnerability critical?

Microsoft has announced this as a high severity vulnerability. In contrast, some researchers claim this is a medium severity bug as the attackers need authentication credentials and physical access to carry out the attack successfully. This bug has received particular attention since Cybersecurity & Infrastructure Security Agency (CISA) has it on their known exploited vulnerabilities list after Microsoft published this CVE. Adding to it, CISA has ordered all the Federal agencies in the United States to patch their systems by giving a deadline of August 2. Indeed, the bug is critical and has to be fixed as soon as possible since it affects the CSRSS component, a salient process that runs in all Windows OS.

Affected version

All Microsoft Windows Operating Systems


An authenticated attacker who successfully exploited the vulnerability can escalate their privileges to execute arbitrary code on the affected systems with SYSTEM privileges.


Microsoft has released a security fix in its monthly Patch Tuesday updates for July 2022

SanerNow VM and SanerNow PM detect this vulnerability and remediate it. We strongly recommend applying the security updates as soon as possible, following the instructions published in our support article.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments