An actively exploited Windows Client Server Runtime Subsystem (CSRSS) vulnerability was one of 84 patched in this week’s Microsoft patch Tuesday. First discovered by the Microsoft Threat intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC), CVE-2022-22047 is tracked as a ‘High’ severity vulnerability, with a CVSS rating of 7.8/10. It affects devices running Windows 10 and Windows 11 operating systems, as well as versions of Windows Server including Windows Server 2022. Microsoft have released a security update guide to detail the attack vector, exploitability, and fixes for this flaw. 

CVE-2022-22047 is an elevation of privilege vulnerability, which if exploited could allow an attacker to gain SYSTEM privileges. For attackers to abuse this, they require only low-level user privileges, and can repeat the attack with the same success rate due to the low complexity of the attack. This vulnerability exists in the CSRSS, a critical component for system operations, responsible for graphical user interface (GUI) shutdown, and handling of the win32 console.  

The attack can be conducted locally on the device itself, or remotely through network protocols such as Secure Shell (SSH). Malicious documents could also be used as an attack vector, however this requires user interaction. Attackers can then utilise read/write/execute capabilities to gain this initial access. Once the attackers have gained access, they can perform an attack resulting in the total loss of confidentiality, integrity, and availability of the component. 

Originally termed as zero-day by Microsoft due to attacks occurring and the vulnerability becoming publicly disclosed before a patch was provided for this flaw. However, all affected users should now be able to easily prevent this from being exploited by updating to the latest version of Windows. A full list of affected versions of Windows can be found in the CVE record for this flaw.