External risk intelligence

Microsoft Windows User Profile Service Privilege Escalation Vulnerability

CVE advisoryKnown Exploit

CVE-2022-26904

A vulnerability in the Windows User Profile Service could allow an attacker with local access to escalate privileges on affected systems. This presents a risk of unauthorized system control and further compromise of organizational data and operations. Addressing this vulnerability is recommended to mitigate business ri

1Halo Surface Signal

Microsoft Windows 10 1507

before 10.0.10240.19265before 10.0.14393.5066before 10.0.17763.2803before 10.0.18363.2212before 10.0.19042.1645before 10.0.19043.1645before 10.0.19044.1645before 10.0.22000.613r2b...

External exposure likelihood

Halo Surface Signal score for CVE-2022-26904

The vulnerability exists within the Windows User Profile Service, a local operating system component. Exploitation requires local access to the system, and it is not reachable via the public internet in common deployments.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

The Windows User Profile Service contains a vulnerability that could allow an attacker to gain elevated privileges. This flaw exists within the core operating system. Successfully exploiting this could lead to unauthorized access and control over affected systems.

  • Vulnerable Windows component
  • Privilege escalation flaw
  • Unauthorized system access

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker to gain elevated privileges on a system. The attack vector requires local access to the affected Windows system. An attacker with initial low-level access can exploit this vulnerability to gain higher privileges.

  • Local system access required.
  • Attacker triggers a vulnerability.
  • Control of the system is gained.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability impacts the Windows User Profile Service, potentially allowing unauthorized access to elevate privileges on affected systems. Exploitation requires local access and specific conditions, presenting a risk to organizations if not addressed. The ability for an attacker to gain higher system privileges could lead to further compromise of data and operations.

  • Attackers need moderate skill.
  • Local access is required.
  • Business risk is significant.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts the Windows User Profile Service, allowing for privilege escalation on affected systems. Organizations should prioritize identifying systems running vulnerable versions of Windows. The vendor has released updates to address this vulnerability.

  • Find affected assets.
  • Reduce exposure or isolate risk.
  • Fix, verify, and monitor.

Frequently asked questions

What is the Windows User Profile Service?

The Windows User Profile Service is a core part of the Windows operating system responsible for managing user profiles. It handles tasks like loading and unloading user environment settings, ensuring that each user has their own personalized desktop experience and access to their files and application settings.

What type of weakness is CVE-2022-26904?

CVE-2022-26904 is a race condition vulnerability (CWE-362). This type of flaw occurs when multiple processes or threads access shared data concurrently, and the outcome depends on the unpredictable timing of their execution, potentially leading to unintended behavior like privilege escalation.

How could an attacker exploit CVE-2022-26904?

Exploiting this vulnerability requires an attacker to first have local access to the affected Windows system. They would then need to trigger a specific condition within the User Profile Service, which could allow them to gain elevated privileges on that system.

Who should be concerned about this Windows vulnerability?

Organizations running affected versions of Windows should be concerned. According to Halo Surface Signal analysis, this vulnerability is classified as internal, meaning it requires local access to the system rather than being directly reachable from the internet.

What is the first step to address this CVE?

The initial step is to identify all systems running vulnerable versions of Windows within your environment. Once identified, applying the security updates provided by Microsoft is crucial to mitigate the risk of this privilege escalation vulnerability.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified