CVE-2022-3699
published 2023-10-25CVE-2022-3699: A privilege escalation vulnerability was reported in the Lenovo HardwareScanPlugin prior to version 1.3.1.2 and Lenovo Diagnostics prior to version 4.45 that…
PriorityP276high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.28%
89.9th percentile
A privilege escalation vulnerability was reported in the Lenovo HardwareScanPlugin prior to version 1.3.1.2 and Lenovo Diagnostics prior to version 4.45
that could allow a local user to execute code with elevated privileges.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lenovo | diagnostics | < 4.45.0 | 4.45.0 |
| lenovo | diagnostics | >= < 4.45 | 4.45 |
| lenovo | hardwarescan_addin | < 2.4.1.1 | 2.4.1.1 |
| lenovo | hardwarescan_plugin | < 1.3.1.2 | 1.3.1.2 |
| lenovo | hardwarescanplugin | >= < 1.3.1.2 | 1.3.1.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2022-3699 affects the Lenovo Diagnostics Driver; exploit delivers arbitrary physical/virtual memory read/write via device IOCTLs, enabling privilege escalation from low-privileged user to SYSTEM by overwriting the process access token in kernel memory. ↗
- →CVE-2022-3699 (Lenovo Mapper/Diagnostics driver) has been weaponized in BYOVD attacks to load unsigned kernel code; monitor for creation of new kernel driver services by non-administrative or unexpected processes. ↗
- →For BlackByte BYOVD attacks, dropped vulnerable drivers follow a naming convention of eight random alphanumeric characters followed by an underscore and an iterating number value; alert on driver filenames matching this pattern. ↗
- →Privilege escalation via vulnerable driver involves reading/writing the _EPROCESS token offset; monitor for low-privilege processes spawning with SYSTEM token after driver IOCTL activity. ↗
- →A Metasploit module exists for CVE-2022-3699 (cve_2022_3699_lenovo_diagnostics_driver.rb); monitor for exploitation attempts using this module's IOCTL memmove technique. ↗
- ·CVE-2022-3699 affects Lenovo HardwareScanPlugin prior to version 1.3.1.2 and Lenovo Diagnostics prior to version 4.45; versions at or above these thresholds are patched. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hwcv-rwgg-wfrh: A privilege escalation vulnerability was reported in the Lenovo HardwareScanPlugin prior to version 1
ghsa_unreviewed·2023-10-25
CVE-2022-3699 [HIGH] CWE-787 GHSA-hwcv-rwgg-wfrh: A privilege escalation vulnerability was reported in the Lenovo HardwareScanPlugin prior to version 1
A privilege escalation vulnerability was reported in the Lenovo HardwareScanPlugin prior to version 1.3.1.2 and Lenovo Diagnostics prior to version 4.45
that could allow a local user to execute code with elevated privileges.
VulnCheck
lenovo diagnostics Out-of-bounds Write
vulncheck·2022·CVSS 7.8
CVE-2022-3699 [HIGH] lenovo diagnostics Out-of-bounds Write
lenovo diagnostics Out-of-bounds Write
A privilege escalation vulnerability was reported in the Lenovo HardwareScanPlugin prior to version 1.3.1.2 and Lenovo Diagnostics prior to version 4.45
that could allow a local user to execute code with elevated privileges.
Affected: lenovo diagnostics
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.talosintelligence.com/exploring-vulnerable-windows-drivers/; https://securelist.com/vulnerabilities-and-exploits-in-q1-2025/116624/
Exploit PoC: https://vulncheck.com/xdb/0469da288eeb; https://vulncheck.com/xdb/db999fe3ff1d; https://vulncheck.com/xdb/a24957dd8b54; https://vulncheck.com/xdb/57d3c7d599dd
No detection rules found.
Securelist
Vulnerability landscape analysis for Q1 2025
blogs_securelist·2025-05-30
Vulnerability landscape analysis for Q1 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
The first quarter of 2025 saw the continued publication of vulnerabilities discovered and fixed in 2024, as some researchers were previously unable to disclose the details. This partially shifted the focus away from vulnerabilities that received new CVE-2025-NNNNN identifiers. The nature of the CVE assignment process can result in a notable delay between problem investigation and patch release, which is mitigated by reserving a CVE ID early in the process. As for trends in vulnerability exploitation, we are seeing increasing rates of attacks targeting older operating syste
Securelist
Exploits and vulnerabilities in Q1 2025
blogs_securelist·2025-05-30·CVSS 7.8
CVE-2025-21333 [HIGH] Exploits and vulnerabilities in Q1 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
ZDI-CAN-25373: a vulnerability in Windows that affects how LNK files are displayed
CVE-2025-21333: a heap buffer overflow vulnerability in the vkrnlintvsp.sys driver
CVE-2025-24071: a NetNTLM hash leakage vulnerability in the file system indexer
Conclusion and advice
Authors
Alexander Kolesnikov
The first quarter of 2025 saw the continued publication of vulnerabilities discovered and fixed in 2024, as some researchers were previously unable to disclose the details. This partially shifted the focus away from vulnerabilities that received new CVE-2025-NN
Talos
Exploring vulnerable Windows drivers
blogs_talos·2024-12-19
Exploring vulnerable Windows drivers
## Exploring vulnerable Windows drivers
This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about malicious Windows drivers. Some of this research was presented at the AVAR conference in Chennai at the beginning of December 2024.
We would like to send a special thanks to Connor McGarr , Russell Sanford , Ryan Warns , Tim Harrison and Michal Poslušný for their previous work on analyzing vulnerabilities in drivers.
During our research into vulnerable Windows drivers, we investigated classes of vulnerabilities typically exploited by threat actors as well as the payloads they typically deploy post-exploitation. The attacks in which attackers are deliberately installing known vul
Talos
Exploring vulnerable Windows drivers
blogs_talos·2024-12-19
Exploring vulnerable Windows drivers
This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about malicious Windows drivers. Some of this research was presented at the AVAR conference in Chennai at the beginning of December 2024.
We would like to send a special thanks to Connor McGarr, Russell Sanford, Ryan Warns, Tim Harrison and Michal Poslušný for their previous work on analyzing vulnerabilities in drivers.
During our research into vulnerable Windows drivers, we investigated classes of vulnerabilities typically exploited by threat actors as well as the payloads they typically deploy post-exploitation. The attacks in which attackers are deliberately installing known vulnerable drivers only to later exploit them i
2023-10-25
Published
Exploited in the wild