CVE-2022-21919

What is the Windows User Profile Service?

The Windows User Profile Service (ProfSvc) is a core Windows service responsible for loading and unloading user profiles during logon and logoff. It manages user environment initialization, roaming profiles synchronization, and profile directory creation. Because the User Profile Service runs with SYSTEM privileges and processes file system operations during logon/logoff, it has historically been a target for symbolic link (symlink) and junction abuse attacks that leverage its privileged file access to escalate privileges.

Overview

CVE-2022-21919 is a high-severity Windows User Profile Service privilege escalation vulnerability (CWE-59, CVSS 7.0) in Microsoft Windows. A local attacker with low privileges can exploit a link-following flaw in the User Profile Service to escalate to SYSTEM privileges. Patched in January 2022 Patch Tuesday, the vulnerability was confirmed actively exploited — CISA added it to KEV in April 2022, more than three months after the patch. The attack complexity is rated High due to specific timing or race conditions required for reliable exploitation.

Affected Versions

Technical Details

The vulnerability (CWE-59: Improper Link Resolution Before File Access — "Link Following") exists in the User Profile Service's handling of file system operations during profile setup and teardown.

The User Profile Service performs privileged file operations (creating directories, copying files, setting permissions) using SYSTEM-level privileges. In certain operations, the service follows symbolic links or directory junctions without adequately verifying that the target path is safe. A local attacker with standard user privileges can create a symbolic link or junction at a location the User Profile Service will access, redirecting the service's privileged file operation to an attacker-controlled path.

By redirecting a privileged file write or permission-setting operation to a location the attacker controls — such as an NTFS junction pointing to a sensitive system directory — the attacker can write attacker-controlled content to a SYSTEM-owned location or modify file permissions on critical system files, ultimately achieving SYSTEM-level code execution.

The CVSS attack complexity of High reflects that the symlink/junction must be positioned at exactly the right time (race condition) relative to the User Profile Service operation.

Discovery

Discovered by security researchers and reported to Microsoft. The 3+ month gap between the January 2022 patch and CISA's April 2022 KEV addition suggests exploitation was discovered relatively quietly and was confirmed through incident response or threat intelligence rather than mass public exploitation.

Exploitation Context

Windows privilege escalation via link following is a well-established exploit category used by:

• Ransomware operators: Achieving SYSTEM for maximum-impact deployment
• APT persistence: Escalating initial limited user access to full system control
• Post-exploitation frameworks: Included in standard privilege escalation module collections

The User Profile Service is an attractive target because it runs reliably during logon/logoff operations (allowing timing attacks), has SYSTEM-level file system privileges, and its link-following behavior is a natural byproduct of its legitimate function.

Remediation

1. Apply January 2022 Patch Tuesday: Install the cumulative security update for your Windows version via Windows Update or WSUS.
2. Prioritize enterprise endpoints: Focus on high-value systems (domain controllers, privileged admin workstations, servers) where LPE would have the greatest blast radius.
3. Monitor for anomalous logon events: Symlink-based LPE attacks often involve unusual profile loading events; monitor Windows Security Event Log for unusual logon/logoff sequences.
4. Deploy EDR: Behavioral detection of privilege escalation attempts can catch exploitation even on unpatched systems.