Last Updated on 05/02/2022 by Nidhi Khandelwal
Federal entities have been ordered by the Cybersecurity and Infrastructure Security Agency (CISA) to patch their systems against an actively exploited Windows vulnerability that allows attackers to gain SYSTEM rights.
All Federal Civilian Executive Branch Agencies (FCEB) agencies are now required to patch all systems against this vulnerability, tracked as CVE-2022-21882, within two weeks, until February 18th, according to a binding operational directive (BOD 22-01) published in November and today’s notification.
While BOD 22-01 only applies to FCEB agencies, CISA strongly advises all private and public sector entities to follow this Directive and prioritize mitigation of vulnerabilities in its database of actively exploited security weaknesses to limit their susceptibility to continuing cyberattacks.
Threat actors with limited access to compromised devices can leverage the newly acquired user rights to spread laterally inside the network, establish new admin users, and execute privileged commands after exploiting the Win32k local privilege elevation bug.
Without the January 2022 Patch Tuesday upgrades, this vulnerability affects systems running Windows 10 1909 or later, Windows 11, and Windows Server 2019 and later.
Another Windows Win32k privilege escalation weakness (CVE-2021-1732), a zero-day flaw patched in February 2021 and frequently exploited in attacks since at least the summer of 2020, is also bypassed by this defect.
BleepingComputer also tested an exploit for this vulnerability, and had no issues compiling it and running it on a Windows 10 system with SYSTEM rights (the exploit didn’t work on Windows 11).