CVE-2022-22047

What is Windows CSRSS?

The Client Server Runtime Subsystem (CSRSS) is a core Windows process responsible for managing the Win32 console subsystem, creating and deleting threads and processes, and handling some aspects of the Windows shutdown process. CSRSS runs with SYSTEM privileges and interacts closely with the kernel. Because CSRSS is a fundamental Windows subsystem with SYSTEM-level privileges, vulnerabilities that allow manipulation of CSRSS execution paths can lead to privilege escalation to SYSTEM — the highest privilege level on Windows.

Overview

CVE-2022-22047 is a high-severity Windows CSRSS privilege escalation vulnerability (CWE-426, CVSS 7.8) in Microsoft Windows. A local attacker with low privileges can exploit an untrusted search path flaw in CSRSS to escalate to SYSTEM privileges. This was a zero-day — Microsoft confirmed active in-the-wild exploitation at the time of the July 2022 Patch Tuesday release, and CISA added it to KEV on the same day as the patch. The vulnerability requires only local code execution and standard user privileges to exploit.

Affected Versions

Technical Details

The vulnerability (CWE-426: Untrusted Search Path) exists in the Windows CSRSS process's handling of executable or library loading. An untrusted search path vulnerability occurs when a process searches for an executable or DLL in directories that an attacker can write to, before searching in trusted system directories.

CSRSS, when performing certain operations (such as process creation, shutdown handling, or console management), may search for and load components from a search path that includes locations writable by low-privileged users. An attacker with local code execution can place a malicious file in one of these locations before the legitimate search proceeds, causing CSRSS to load and execute the attacker's file with SYSTEM privileges.

The zero-day nature (exploited before the patch) indicates a threat actor had independently discovered the vulnerability and incorporated it into their toolkit. The simultaneous patch and KEV addition suggests CISA was alerted through threat intelligence.

Discovery

Reported to Microsoft through their security disclosure process. The simultaneous patch release and KEV addition on July 12, 2022 indicates active exploitation was already confirmed before Microsoft publicly disclosed the fix — an unusual same-day disclosure timeline.

Exploitation Context

CSRSS zero-day LPE vulnerabilities are particularly valuable because:

• CSRSS is present on every Windows system — the vulnerability has universal applicability
• The untrusted search path technique is well-understood and can be leveraged in automated post-exploitation tooling
• SYSTEM-level access immediately enables the most damaging follow-on actions

The zero-day status (exploited before patch) suggests sophisticated threat actor use, likely in targeted attack chains:

1. Initial access via phishing, RCE, or credential stuffing to gain limited user code execution
2. CVE-2022-22047 CSRSS LPE to escalate to SYSTEM
3. Credential harvesting, lateral movement, persistence, or ransomware deployment from SYSTEM context

Remediation

1. Apply July 2022 Patch Tuesday immediately: This is a zero-day with confirmed active exploitation — install the cumulative update via Windows Update or WSUS without delay.
2. Prioritize internet-facing and high-privilege systems: Domain controllers, admin workstations, and servers where SYSTEM-level compromise has the greatest blast radius.
3. Investigate for exploitation: If the patch window was delayed, look for indicators of post-exploitation activity — unexpected scheduled tasks, new local accounts, and LSASS memory access from non-standard processes.
4. Deploy EDR: Behavioral detection can identify untrusted search path exploitation patterns and SYSTEM-escalation from non-privileged processes.