The US Cyber Security Administration (CISA) has set a deadline of August 2, 2022 for US institutions to fix the CVE-2022-22047 vulnerability, which has a CVSS score of 7,8.
This vulnerability in the Client Server Runtime Subsystem (CSRSS) affects almost all versions of Windows and was fixed with the July 2022 updates.
The vulnerability CVE-2022-22047
CVE-2022-22047 elevates privilege in the Client Server Runtime Subsystem (CSRSS). A (local) attacker exploiting the vulnerability could gain SYSTEM privileges. The vulnerability is already being exploited, according to Microsoft, and almost all versions of Windows (client and server) are affected:
Windows Server 2012/R2: KB5015874 Monthly Rollup Windows Server 2012/R2: KB5015877 Security only Windows Server 2012: KB5015863 Monthly Rollup Windows Server 2012: KB5015875 Security only Windows Server 2008 R2 SP1: KB5015861 Monthly Rollup Windows Server 2008 R2 SP1: KB5015862 Security only Windows Server 2008 SP2: KB5015866 Monthly Rollup Windows Server 2008 SP2: KB5015870 Security only Windows RT 8.1: KB5015874 (Monthly Rollup) Windows 8.1: KB5015874 Monthly Rollup Windows 8.1: KB5015877 Security only Windows 7 SP1: KB5015861 Monthly Rollup Windows 7 SP1: KB5015862 Security only Windows Server 2016: KB5015808 Windows 10: KB5015832 Windows 10 Version 21H2: KB5015807 Windows 11: KB5015814 Windows Server 2022: KB5015827 Windows Server 2019: KB5015811 Windows 10 Version 1809: KB5015811
The KB numbers indicate the relevant updates that have been released since July 12, 2022. .
The CISA statement: Patch until August
CISA adds Windows bug to exploited list, urges agencies to patch by August 2 – The Record by Recorded Future https://t.co/nfP1IRlLEH
— Sami Laiho (@samilaiho) July 17th, 2022
The US Cybersecurity Administration has added the CVE-2022-22047 vulnerability to its list of bugs to be patched and requires systems to be patched by August 2, 2022.