The US Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft Win32k privilege escalation vulnerability to its Known Exploited Vulnerabilities Catalog, ordering federal civilian agencies to patch the issue by February 18.
CISA said it added the vulnerability "based on evidence that threat actors are actively exploiting" it.
Cybersecurity company Deepwatch said in a blog last week that proof-of-concept code was publicly disclosed and that threat actors with limited access to a compromised device "can utilize this vulnerability to quickly elevate privileges, allowing them to spread laterally inside the network, create new administrator users, and run privileged commands."
"According to the security researcher credited with disclosing the vulnerability to Microsoft, the vulnerability has already been exploited by advanced persistent threat (APT) actors. Deepwatch Threat Intel Teams assess with high confidence that threat actors are likely to use the publicly available exploit code for CVE-2022-21882 to escalate privileges on systems in which they have already initially compromised," the Deepwatch Threat Intel Team explained.
"Given the vulnerability affects Windows 10, the Deepwatch Threat Intel Team advises customers to install updates as soon as possible, prioritizing vulnerable internet-exposed systems."
The vulnerability has a CVSS score of 7.0 and affects Microsoft Windows 10 versions 1809, 1909, 20H2, 21H1, and 21H2 as well as Microsoft Windows 11. Microsoft Windows Server 2019 and Microsoft Windows Server 2022 are also affected.
The issue was heavily discussed by cybersecurity experts on Twitter, one of which said they discovered it two years ago. Others confirmed the exploit works.
Microsoft acknowledged RyeLv (@b2ahex) for discovering the issue and confirmed that it has been exploited. The issue is related to another vulnerability -- CVE-2021-1732 -- that Microsoft released a patch for in February 2021.
Bugcrowd founder Casey Ellis said what stood out most to him was that most of the other vulnerabilities covered by 2022-01 provide initial access to systems.
"This one is useful for increasing the power of marginal initial access, after it has already been achieved. The significance of this is that it shifts the prevention focus from 'prevent intrusion' to 'assume and contain intrusion,'" Ellis explained.
Privilege escalation bugs are the bane of any operating system, according to BluBracket head of product Casey Bisson. Bisson added that every successful OS vendor or community prioritizes fixes for them.
"OS bugs can be very serious because they affect such large numbers of systems, but that also triggers a strong and rapid response," Bisson said. "However, application-level vulnerabilities are often riskier because they can result in similar levels of access, but lack the same attention that OS-level risks often receive."