CVE-2022-21882: Win32k Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability

CVE-2016-5128 [HIGH] 2022 0-day In-the-Wild Exploitation…so far - Project Zero Posted by Maddie Stone, Google Project Zero This blog post is an overview of a talk, “ 0-day In-the-Wild Exploitation in 2022…so far”, that I gave at the FIRST conference in June 2022. The slides are available here. For the last three years, we’ve published annual year-in-review reports of 0-days found exploited in the wild. The most recent of these reports is the 2021 Year in Review report, which we published just a few months ago in April. While we plan to stick with that annual cadence, we’re publishing a little bonus report today looking at the in-the-wild 0-days detected and disclosed in the first half of 2022. As of June 15, 2022, there have been 18 0-days detected and disclosed as exploited in-the-wild in 2022. When we analyzed those 0-days, we found that at least nin

CVE-2016-4654 The More You Know, The More You Know You Don’t Know - Project Zero A Year in Review of 0-days Used In-the-Wild in 2021 Posted by Maddie Stone, Google Project Zero This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository. We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for

CVE-2022-21882 [HIGH] CWE-269 GHSA-m3vx-53cf-jqv4: Win32k Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21887.

CVE-2022-21887 [HIGH] CWE-269 GHSA-h585-m23x-h5c2: Win32k Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21882.

CVE-2022-21882 [HIGH] Win32k Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability

CVE-2022-21882 [HIGH] CWE-787 Microsoft Win32k Privilege Escalation Vulnerability Microsoft Win32k Privilege Escalation Vulnerability Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. Affected: Microsoft Win32k Required Action: Apply updates per vendor instructions. Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2022-Jan; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://asec.ahnlab.com/en/38156/; https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/summary/2023/360_APT_Annual_Research_Report_2022.pdf; https://www.cisa.gov/sites/default/files/2024-07/aa24-207a-dprk-cyber-group-conducts-glob

CVE-2022-21882 [HIGH] Project Zero RCA: CVE-2022-21882: Win32k Window Object Type Confusion # CVE-2022-21882: Win32k Window Object Type Confusion *RyeLv (@b2ahex)* ## The Basics **Disclosure or Patch Date:** Jan 13, 2022 **Product:** Microsoft Windows **Advisory:** https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882 **Affected Versions:** Before the January 2022 patch update. Windows 10,Windows 11,Windows Server 2019,Windows server 2022 (Currently only full exploits found under windows10 and windows server 2019) **First Patched Version:** CVE-2022-21882,January 2022 patch update. **Issue/Bug Report:** N/A **Patch CL:** N/A **Bug-Introducing CL:** N/A **Reporter(s):** RyeLv (@b2ahex) ## The Code **Proof-of-concept:** N/A **Exploit sample:** N/A **Did you have access to the exploit sample when doing the analysis?** Yes ## The Vulnerability **Bug cla

CVE-2022-21882 [HIGH] CWE-787 Microsoft Win32k Privilege Escalation Vulnerability Vulnerability: Microsoft Win32k Privilege Escalation Vulnerability Affected: Microsoft Win32k Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. Required Action: Apply updates per vendor instructions. Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-21882 Remediation Due Date: 2022-02-18

CVE-2022-21882 [HIGH] Win32k Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver. Windows Win32K: Windows Win32K Microsoft: Microsoft Customer Action Required: Yes Impact: Elevation of Privilege Exploit Status: Publicly Disclosed:No;Exploited:Yes;Latest Software Release:Exploitation More Likely;Older Software Release:Exploitation More Likely Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5009557 Reference: https://support.microsoft.com/help/5009557 Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5009545 Reference: https://support.mi

CVE-2021-1732 [HIGH] Win32k ConsoleControl Offset Confusion Win32k ConsoleControl Offset Confusion A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to function on a wider range of Windows

Microsoft’s June 2024 Patch Tuesday Addresses 49 CVEs ## Cloud Exposure Tenable Cloud Security (CNAPP) Request a demo Tenable Cloud Vulnerability Management Request a demo Tenable CIEM Request a demo Secure your cloud ## Vulnerability Exposure Tenable Vulnerability Management Try for free Tenable Security Center Request a demo Tenable Web App Scanning Try for free Tenable Patch Management Request a demo Tenable Enclave Security Request a demo Tenable Attack Surface Management Request a demo Tenable Nessus Try for free ## AI Exposure Tenable AI Exposure Request a demo ## OT/IoT Exposure Tenable OT Security Request a demo ## Identity Exposure Tenable Identity Exposure Request a demo ## Business needs Active Directory AI Security Posture Management (AI-SPM) AWS security Azure security Cloud Security Posture Man

CVE-2022-21882 [HIGH] Inside Win32k Exploitation: Analysis of CVE-2022-21882 and CVE-2021-1732 Threat Research Center Threat Research Vulnerabilities ## Inside Win32k Exploitation: Analysis of CVE-2022-21882 and CVE-2021-1732 Shawn Westfall Published: June 20, 2023 Threat Research Vulnerabilities CVE-2021-1732 CVE-2022-21882 Microsoft Windows ## Executive Summary After seeing reports of two similar privilege escalation vulnerabilities in Microsoft Windows – CVE-2021-1732 and CVE-2022-21882 – we decided to analyze both to better understand the code involved in each. This is a continuation of Inside Win32k Exploitation , in which we discussed the Win32k internals and exploitation in general as background information to explore the issues surrounding CVE-2021-1732 and CVE-2022-21882 . Here, we will dig deeper into CVE-2021-1732 and CVE-2022-21882 and their related proo

CVE-2021-1732 [HIGH] Inside Win32k Exploitation: Analysis of CVE-2022-21882 and CVE-2021-1732 ## Executive Summary After seeing reports of two similar privilege escalation vulnerabilities in Microsoft Windows – CVE-2021-1732 and CVE-2022-21882 – we decided to analyze both to better understand the code involved in each. This is a continuation of Inside Win32k Exploitation, in which we discussed the Win32k internals and exploitation in general as background information to explore the issues surrounding CVE-2021-1732 and CVE-2022-21882. Here, we will dig deeper into CVE-2021-1732 and CVE-2022-21882 and their related proof-of-concept (PoC) exploits. We’ll walk through an analysis of these two exploits, and thus see why the patch for CVE-2021-1732 was not sufficient to prevent CVE-2022-21882. Both vulnerabilities discussed in this series are detected and blocked by the Cortex XDR Ant

CVE-2022-21882 [HIGH] Inside Win32k Exploitation: Background on Implementations of Win32k and Exploitation Methodologies ## Executive Summary In late January 2022, several reports on social media indicated that a new Microsoft Windows privilege escalation vulnerability (CVE-2022-21882) was being exploited in the wild. These reports prompted us to do an analysis of CVE-2022-21882, which turned out to be a vulnerability in the Win32k.sys user-mode callback function xxxClientAllocWindowClassExtraBytes. In 2021, a very similar vulnerability (CVE-2021-1732) was reported to – and patched by – Microsoft. We decided to take a closer look at both vulnerabilities to better understand the code involved in each. In our initial analysis we wanted to determine why the patch for CVE-2021-1732 was not sufficient to prevent CVE-2022-21882. This is part one of a series that will cover Win32k internals and exploitation in g

CVE-2021-1732 [HIGH] Inside Win32k Exploitation: Background on Implementations of Win32k and Exploitation Methodologies Threat Research Center Threat Research Vulnerabilities ## Inside Win32k Exploitation: Background on Implementations of Win32k and Exploitation Methodologies Shawn Westfall Published: June 13, 2023 Threat Research Vulnerabilities CVE-2021-1732 CVE-2022-21882 Microsoft Windows ## Executive Summary In late January 2022, several reports on social media indicated that a new Microsoft Windows privilege escalation vulnerability ( CVE-2022-21882 ) was being exploited in the wild. These reports prompted us to do an analysis of CVE-2022-21882, which turned out to be a vulnerability in the Win32k.sys user-mode callback function xxxClientAllocWindowClassExtraBytes . In 2021, a very similar vulnerability ( CVE-2021-1732 ) was reported to – and patched by – Microsoft. We decided to take

[HIGH] Microsoft’s May 2023 Patch Tuesday Addresses 38 CVEs (CVE-2023-29336) ## Cloud Exposure Tenable Cloud Security (CNAPP) Request a demo Tenable Cloud Vulnerability Management Request a demo Tenable CIEM Request a demo Secure your cloud ## Vulnerability Exposure Tenable Vulnerability Management Try for free Tenable Security Center Request a demo Tenable Web App Scanning Try for free Tenable Patch Management Request a demo Tenable Enclave Security Request a demo Tenable Attack Surface Management Request a demo Tenable Nessus Try for free ## AI Exposure Tenable AI Exposure Request a demo ## OT/IoT Exposure Tenable OT Security Request a demo ## Identity Exposure Tenable Identity Exposure Request a demo ## Business needs Active Directory AI Security Posture Management (AI-SPM) AWS security Azure security Cloud Security Posture Man

BlueSky How It Works The Singularity XDR Difference Singularity Marketplace One-Click Integrations to Unlock the Power of XDR Pricing & Packaging Comparisons and Guidance at a Glance Purple AI Accelerate SecOps with Generative AI Singularity Hyperautomation Easily Automate Security Processes AI-SIEM The AI SIEM for the Autonomous SOC Singularity Data Lake AI-Powered, Unified Data Lake Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments Singularity Endpoint Autonomous Prevention, Detection, and Response Singularity XDR Native & Open Protection, Detection, and Response Singularity RemoteOps Forensics Orchestrate Forensics at Scale Singularity Threat Intelligence Comprehensive Adversary Intelligence Singularity Vulnerability Management

[CRITICAL] BlueSky Ransomware | AD Lateral Movement, Evasion and Fast Encryption Put Threat on the Radar BlueSky ransomware is an emerging threat that researchers have been paying increasing attention to since its initial discovery in late June 2022. The ransomware has been observed being spread via trojanized downloads from questionable websites as well as in phishing emails. Although infections at this time remain low, the ransomware’s characteristics, described below, suggest it has been carefully developed for a sustained campaign. In this post, we cover the latest intelligence on BlueSky ransomware to help security teams defend against this developing threat. ## Emergence of BlueSky Ransomware BlueSky was first noted on VirusTotal by researcher @Kangxiaopao in late June 2022. Subsequently, analysts from CloudSek and Unit42 have documented some of BlueSky’s behavior. At present, BlueS

BlueSky Ransomware | AD Lateral Movement, Evasion and Fast Encryption Put Threat on the Radar BlueSky ransomware is an emerging threat that researchers have been paying increasing attention to since its initial discovery in late June 2022. The ransomware has been observed being spread via trojanized downloads from questionable websites as well as in phishing emails. Although infections at this time remain low, the ransomware’s characteristics, described below, suggest it has been carefully developed for a sustained campaign. In this post, we cover the latest intelligence on BlueSky ransomware to help security teams defend against this developing threat. ## Emergence of BlueSky Ransomware BlueSky was first noted on VirusTotal by researcher @Kangxiaopao in late June 2022. Subsequently, analysts from CloudSek and Unit42 have documented some of BlueSky’s behavior. At present, BlueS

IT threat evolution in Q1 2022. Non-mobile statistics Table of Contents Quarterly figures Financial threats Financial threat statistics Geography of financial malware attacks TOP 10 banking malware families Ransomware programs Quarterly trends and highlights Law enforcement successes HermeticWiper, HermeticRansom and RUransom, etc. Conti source-code leak Attacks on NAS devices Maze Decryptor Number of new modifications Number of users attacked by ransomware Trojans Geography of attacked users TOP 10 most common families of ransomware Trojans Miners Number of new miner modifications Number of users attacked by miners Geography of miner attacks Vulnerable applications used by criminals during cyberattacks Quarter highlights Vulnerability statistics Attacks on macOS Geography of threats for macOS IoT attacks IoT threat

PC malware statistics, Q1 2022 Table of Contents - Quarterly figures - Financial threats - Ransomware programs - Miners - Vulnerable applications used by criminals during cyberattacks - Attacks on macOS - IoT attacks - Attacks via web resources - Local threats Authors - AMR - IT threat evolution in Q1 2022 - IT threat evolution in Q1 2022. Non-mobile statistics - IT threat evolution in Q1 2022. Mobile statistics These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data. ## Quarterly figures According to Kaspersky Security Network, in Q1 2022: - Kaspersky solutions blocked 1,216,350,437 attacks from online resources across the globe. - Web Anti-Virus recognized 313,164,030 unique URLs as malicious. - Attempts to run malware

Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys #### Table of Contents - Situation - Directive Scope - CISA Catalog of Known Exploited Vulnerabilities - Detect CISA Vulnerabilities Using Qualys VMDR - CISA Exploited RTI - Detailed Operational Dashboard - Remediation - Federal Enterprises and Agencies Can Act Now - Summary - Getting Started CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively. ## Situation Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv

[HIGH] Detect and prioritize CISA Known Exploited Vulnerabilities in the cloud with Wiz | Wiz Blog Wiz supports the new CISA Known Exploited Vulnerabilities (KEV) Catalog as a source of exploit intelligence to vulnerability findings, on top of other sources. The new CISA binding directive helps enterprises to reduce cyber incidents by prioritizing the mitigation of vulnerabilities known to be actively exploited in order to improve the vulnerability management process. Vulnerabilities listed in the KEV catalog are less than 1% of the vulnerability findings in the cloud. Combined with the unique capabilities offered by Wiz to discover the toxic combinations that represent a real threat in your cloud environment, you can now better prioritize and focus on the risks that matter the most. ## What is the CISA KEV Catalog? CISA, the Cybersecurity & Infrastructure Security Agency, released a

[HIGH] Detect and prioritize CISA Known Exploited Vulnerabilities in the cloud with Wiz | Wiz Blog Wiz supports the new CISA Known Exploited Vulnerabilities (KEV) Catalog as a source of exploit intelligence to vulnerability findings, on top of other sources. The new CISA binding directive helps enterprises to reduce cyber incidents by prioritizing the mitigation of vulnerabilities known to be actively exploited in order to improve the vulnerability management process. Vulnerabilities listed in the KEV catalog are less than 1% of the vulnerability findings in the cloud. Combined with the unique capabilities offered by Wiz to discover the toxic combinations that represent a real threat in your cloud environment, you can now better prioritize and focus on the risks that matter the most. ### What is the CISA KEV Catalog? CISA, the Cybersecurity & Infrastructure Security Agency, released a

[HIGH] Microsoft Patch Tuesday, February 2022 Edition Microsoft today released software updates to plug security holes in its Windows operating systems and related software. This month’s relatively light patch batch is refreshingly bereft of any zero-day threats, or even scary critical vulnerabilities. But it does fix four dozen flaws, including several that Microsoft says will likely soon be exploited by malware or malcontents. While none of the patches address bugs that earned Microsoft’s most dire “critical” rating, there are multiple “remote code execution” vulnerabilities that Redmond believes are ripe for exploitation. Among those is CVE-2022-22005, a weakness in Microsoft’s Sharepoint Server versions 2013-2019 that could be exploited by any authenticated user. “The vulnerability does require an attacker to be authenticated in order t

[HIGH] Microsoft Patch Tuesday, February 2022 Edition Microsoft today released software updates to plug security holes in its Windows operating systems and related software. This month’s relatively light patch batch is refreshingly bereft of any zero-day threats, or even scary critical vulnerabilities. But it does fix four dozen flaws, including several that Microsoft says will likely soon be exploited by malware or malcontents. While none of the patches address bugs that earned Microsoft’s most dire “critical” rating, there are multiple “remote code execution” vulnerabilities that Redmond believes are ripe for exploitation. Among those is CVE-2022-22005 , a weakness in Microsoft’s Sharepoint Server versions 2013-2019 that could be exploited by any authenticated user. “The vulnerability does require an attacker to be authenticated in order

[HIGH] Microsoft’s February 2022 Patch Tuesday Addresses 48 CVEs (CVE-2022-21989) ## Cloud Exposure Tenable Cloud Security (CNAPP) Request a demo Tenable Cloud Vulnerability Management Request a demo Tenable CIEM Request a demo Secure your cloud ## Vulnerability Exposure Tenable Vulnerability Management Try for free Tenable Security Center Request a demo Tenable Web App Scanning Try for free Tenable Patch Management Request a demo Tenable Enclave Security Request a demo Tenable Attack Surface Management Request a demo Tenable Nessus Try for free ## AI Exposure Tenable AI Exposure Request a demo ## OT/IoT Exposure Tenable OT Security Request a demo ## Identity Exposure Tenable Identity Exposure Request a demo ## Business needs Active Directory AI Security Posture Management (AI-SPM) AWS security Azure security Cloud Security Posture Man

CVE-2021-20038 31st January– Threat Intelligence Report Latest Publications CPR Podcast Channel AI Research Web 3.0 Security Intelligence Reports ThreatCloud AI Threat Intelligence & Research Zero Day Protection Sandblast File Analysis About Us SUBSCRIBE 2026 2025 2024 2023 2022 2021 2020 2019 2018 2017 2016 ## 31st January– Threat Intelligence Report For the latest discoveries in cyber research for the week of 31st January, please download our Threat Intelligence Bulletin . Top Attacks and Breaches Hacktivist group from Belarus called “Belarusian Cyber Partisans” has breached the computers systems of Belarusian Railways. Threat actors claim to have encrypted the network and are extorting the Belarusian government, asking for the release of 50 political prisoners and a pledge from Belarussian Railways to halt transpor

[HIGH] Zscaler protects against 6 new vulnerabilities | 01-11-2022 Provide users with seamless, secure, reliable access to applications and data. Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud. Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems. Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners. Industry Report Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE) USE CASES INDUSTRY & MARKET SOLUTIONS PARTNERS TECHNOLOGY PARTNERS Resource Center Events & Trainings Security Research & Services Tools Community & Support CXO REVOLUTIONARIES Amplifying the voices of real-world digital and zero trust pioneers Discover how it began and where it’s going Meet o

CVE-2026-20929 [HIGH] January 2022 Patch Tuesday: Updates and Analysis STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026 Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026 How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026 STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026 Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026 How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026 Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019 Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI

BlueSky # BlueSky Ransomware: In-Depth Analysis, Detection, and Mitigation ## What is BlueSky Ransomware? BlueSky ransomware emerged in July 2022 and is known to distribute their payload through trojanized downloads from risky websites. Based on current observations, BlueSky operators currently do not operate a victim data listing blog. ## What Does BlueSky Ransomware Target? BlueSky ransomware is known to target large enterprises and high-value targets as well as small and medium-sized businesses (SMBs). ## How Does BlueSky Ransomware Work? BlueSkyThanos ransomware targets its victims through trojanized downloads. Once active, the ransomware has the ability to move laterally (spreading via SMB). ## BlueSky Ransomware Technical Details Initial delivery can vary by affiliate. However, some