CVE-2022-41125

What is the Windows CNG Key Isolation Service?

The Windows Cryptographic Next Generation (CNG) Key Isolation Service (KeyIso, running within lsass.exe) is a Windows system service responsible for isolating private key material from the processes that use it. Applications perform cryptographic operations through the CNG API, but the actual private key operations are handled by KeyIso running in a separate, protected service context. This architecture ensures that private keys are not directly accessible from the address space of applications using them. Because KeyIso runs as part of lsass.exe — the Local Security Authority process that manages Windows authentication credentials, security tokens, and sensitive cryptographic material — vulnerabilities in KeyIso that allow memory corruption can yield access to SYSTEM privileges and to the sensitive data lsass.exe holds, including NTLM hashes and Kerberos tickets.

Overview

CVE-2022-41125 is an out-of-bounds write (CWE-787) vulnerability in the Windows CNG Key Isolation Service that allows a local attacker with low privileges to escalate to SYSTEM-level privileges. Microsoft patched it on November 8, 2022 (Patch Tuesday) as an actively exploited zero-day, simultaneously adding it to the CISA KEV catalog one day before NVD's formal publication. The SYSTEM privilege escalation through the cryptographic key isolation service makes this a high-value LPE in post-exploitation scenarios.

Affected Versions

Technical Details

An out-of-bounds write (CWE-787) in the CNG Key Isolation Service occurs when a local process calls CNG API functions with crafted parameters that cause KeyIso to write data beyond the boundary of an allocated buffer within lsass.exe's address space. The exploitation path:

1. Execute as a low-privilege local user — any standard Windows user account can make CNG API calls that route through KeyIso
2. Call a vulnerable CNG function with crafted parameters — construct API parameters that trigger the out-of-bounds write condition in KeyIso's memory management
3. Corrupt lsass.exe memory — the out-of-bounds write corrupts data structures within lsass.exe, which runs as SYSTEM
4. Achieve SYSTEM execution — leverage the memory corruption to redirect lsass.exe execution to attacker-controlled code, obtaining SYSTEM privileges

SYSTEM-level access provides unrestricted control over the local system, ability to dump credential material from lsass.exe (NTLM hashes, Kerberos tickets), and the ability to disable security tools or establish persistence.

Discovery

CVE-2022-41125 was patched as a November 2022 Patch Tuesday zero-day with active exploitation confirmed at patch time. DBAPPSecurity (a Chinese security research organization) was credited with the discovery in Microsoft's advisory. The simultaneous KEV addition confirms CISA's awareness of exploitation at patch time.

Exploitation Context

Windows CNG Key Isolation Service LPE vulnerabilities are used in the same post-exploitation role as other Windows LPE zero-days: attackers who gain initial access with a low-privilege account use local privilege escalation to SYSTEM before deploying malware, dumping credentials, or moving laterally. The CNG component's presence in lsass.exe makes a successful exploit particularly valuable — SYSTEM privileges plus lsass memory access enables direct credential harvesting (mimikatz-style LSASS dump) in a single step.

The November 2022 Patch Tuesday patched multiple zero-days simultaneously (CVE-2022-41073 Print Spooler, CVE-2022-41125 CNG, CVE-2022-41128 JScript9), reflecting a period of active Windows exploitation by multiple threat actors.

Remediation

1. Apply the November 2022 Windows cumulative update — patches CVE-2022-41125 in the CNG Key Isolation Service across all affected Windows versions.
2. Enable Windows Credential Guard — Credential Guard virtualizes lsass.exe's credential storage using Virtualization-Based Security (VBS), protecting NTLM hashes and Kerberos tickets from being read even if SYSTEM privileges are obtained; reduces the credential harvesting impact of lsass-targeting exploits.
3. Restrict lsass.exe process access — configure the RunAsPPL (Protected Process Light) setting for lsass.exe via registry to reduce the ability of non-system processes to attach debuggers or inject code into lsass.
4. Deploy EDR with lsass protection — endpoint detection and response solutions that monitor for lsass.exe memory access attempts can detect exploitation attempts and credential harvesting activity.
5. Keep Windows current with cumulative updates — Windows LPE vulnerabilities in system services are patched monthly; maintaining current update status is the primary defense.