You are currently viewing Windows CSRSS Elevation of Privilege Vulnerability Under Active Exploitation: CVE-2022-22047

Windows CSRSS Elevation of Privilege Vulnerability Under Active Exploitation: CVE-2022-22047

Microsoft recently patched a high severity security vulnerability in its July 2022 Patch Tuesday. This security vulnerability is wildly exploited and is assigned with an identifier CVE-2022-22047 and has a CVSS score of 7.8. This flaw was discovered by Microsoft’s internal security teams using their vulnerability management software. Microsoft Threat Intelligence Center, and the Microsoft Security Response Center (MSRC). There is not much information available w.r.t POCs on this vulnerability. Soon attackers and security enthusiasts will reverse engineer the patch and would try creating POCs for the same. The flaw is already under active exploitation, although it needs local authentication to the system. Remediation can be a reality by using Vulnerability Management Tool. The attacker can gain SYSTEM privileges by exploiting the elevation of privilege vulnerability in the Windows Client Server Runtime Subsystem (CSRSS).

About the vulnerability

When it was initially announced, the bug was considered a Zero-Day, but Microsoft subsequently patched it along with its Patch Tuesday updates. This vulnerability arises due to a buffer overflow or boundary error issue in the CSRSS/csrss.exe component of the Windows NT family operating systems. CSRSS plays a critical role in the Windows OS as it actively participates in starting and stopping processes or threads, providing the command-line windows console, and powering off the machine. A local user or an attacker who already has access to one of the local accounts can escalate their privileges to run arbitrary code with SYSTEM privileges. CVE-2022-22047 is the identifier to look for in this scenario.

Attackers can exploit this vulnerability by using a specially crafted Adobe or Office document. They can trick users into opening such a document containing malicious macros, which execute a series of commands to achieve a specific task. On opening such malicious documents, attackers can easily take control of the affected systems. VBA macros are the most common macros by attackers to carry out such attacks. Office apps will not be blocking this by default. This is one of the primary reasons why the attack is under active exploitation. However, Microsoft has informed, it would be blocking the use of any such document with VBA macros in its future releases. This is how they plan to patch similar vulnerabilities such as CVE-2022-22047.

Is the vulnerability critical?

Microsoft has announced this as a high severity vulnerability. In contrast, some researchers claim this is a medium severity bug. Hence, the attackers need authentication credentials and physical access to carry out the attack successfully. It is advisable to be on the look out for CVE-2022-22047 as an identifier. This bug has received particular attention since Cybersecurity & Infrastructure Security Agency (CISA) has it on their known exploited vulnerabilities list after Microsoft published this CVE. CISA has ordered all the Federal agencies in the United States to patch their systems by giving a deadline of August 2. The CSRSS component is altering which is a salient process that runs in all Windows OS. Therefore, we must fix the bug as soon as possible, as it is critical.

Affected version

All Microsoft Windows Operating Systems have this CVE-2022-22047 as a common vulnerability.


An authenticated attacker can escalate their privileges to execute arbitrary code on the affected systems with SYSTEM privileges.


Microsoft has released a security fix in its monthly Patch Tuesday updates for July 2022

SanerNow VM and SanerNow PM detect this vulnerability and remediate it. We strongly recommend applying the security updates as soon as possible, following the instructions published in our support article.

Share this article