CVE-2022-21999
CVE-2022-21999 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-25). The underlying weakness is classified as CWE-22.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 4.6
- EPSS exploit prediction: 42% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-03-25)
- EU (EUVD) id: EUVD-2022-27153
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-03-25)
- Weakness: CWE-22
- Affected product: Microsoft Windows 10 1507
- Published:
- Last modified:
Description
Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2022-21999: Windows Print Spooler Path Traversal Elevation of Privilege
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2022-21999 is a local elevation-of-privilege vulnerability in the Windows Print Spooler service. The underlying weakness is classified as CWE-22 (Path Traversal), which allows an attacker to manipulate file paths and gain higher privileges on the affected system.
Background
The Windows Print Spooler service has historically been a high-value target for attackers seeking local privilege escalation. This vulnerability continues that pattern by exploiting insufficient path validation within the spooler, allowing an attacker to place or reference files in unintended locations.
Root Cause — CWE-22 (Path Traversal)
The vulnerability stems from a failure to properly sanitize or validate file paths supplied to the Print Spooler. By leveraging path traversal sequences, an attacker can redirect file operations to attacker-controlled locations. This bypasses intended access controls and ultimately leads to privilege escalation.
Impact
CVSS 3.1 score: 7.8 (HIGH) — Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Confidentiality Impact: High — an attacker can read sensitive data
- Integrity Impact: High — an attacker can modify data or system configuration
- Availability Impact: High — an attacker can disrupt system operation
Because the attack vector is local and requires low privileges, it is especially dangerous in multi-user environments, terminal services, and post-exploitation scenarios where an attacker already has a foothold.
Exploitation Walkthrough
Ethics & Scope: This section is provided for defensive awareness only. No working exploit code is included.
- An attacker with low-privileged local access interacts with the Windows Print Spooler service.
- The attacker supplies a crafted path containing traversal sequences to a spooler function that does not adequately validate the input.
- The spooler performs a file operation on the attacker-supplied path, enabling placement of malicious payloads in protected directories or loading of attacker-controlled binaries.
- The attacker then leverages the elevated context to execute arbitrary code with higher privileges, such as SYSTEM.
Real-world exploitation has been confirmed by both CISA and the European Union Vulnerability Database.
Affected and Patched Versions
Microsoft has not provided explicit patched-version build numbers in the available data. Organizations should apply the February 2022 Patch Tuesday security updates for Windows and verify patch status through the Microsoft Security Response Center (MSRC) advisory for CVE-2022-21999.
Affected platforms include (but may not be limited to):
- Windows 7 SP1
- Windows 8.1 / RT 8.1
- Windows 10 (multiple feature updates)
- Windows 11 version 21H2
- Windows Server 2008 SP2 / 2008 R2 SP1
- Windows Server 2012 / 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 20H2
Remediation
- Patch promptly — Apply the latest Microsoft security updates for Windows, prioritizing the February 2022 Patch Tuesday release.
- Disable Print Spooler — On systems that do not require printing, disable the Print Spooler service entirely. This is the strongest compensating control.
- Restrict driver installation — Enforce policies that prevent non-administrators from installing printer drivers.
- Network segmentation — Limit lateral movement by restricting print traffic between subnets where possible.
- Monitor spooler activity — Enable auditing for Print Spooler events (Event ID 808, 307) and monitor for anomalous driver installations or spooler crashes.
Detection
- Review Windows Event Logs for unusual Print Spooler activity, especially around driver installation and spooler restarts.
- Monitor for unexpected file writes in
C:\Windows\System32\spool\or related directories. - Use endpoint detection and response (EDR) tools to alert on processes spawned by the Print Spooler service with abnormal parent-child relationships.
- Look for known indicators of compromise associated with CVE-2022-21999 exploitation campaigns.
Assessment
EPSS score: 0.41683 (98.5th percentile) — this indicates a very high probability of active exploitation in the wild. CISA added CVE-2022-21999 to the Known Exploited Vulnerabilities catalog on 2022-03-25, and the EU Vulnerability Database (EUVD-2022-27153) also lists it as actively exploited.
Key lessons:
- Path traversal in privileged system services remains a critical and recurrent risk class.
- The Windows Print Spooler continues to be a prime target; organizations should treat it as a high-risk attack surface and apply the principle of least privilege by disabling it where unnecessary.
References
Frequently asked questions
- What is CVE-2022-21999?
- Windows Print Spooler Elevation of Privilege Vulnerability
- How severe is CVE-2022-21999?
- CVE-2022-21999 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-21999 being actively exploited?
- Yes. CVE-2022-21999 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-21999?
- CVE-2022-21999 primarily affects Microsoft Windows 10 1507. In total, 19 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-21999?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-21999 have an EU (EUVD) identifier?
- Yes. CVE-2022-21999 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-27153. It is also flagged as exploited in the EUVD (since 2022-03-25).
- When was CVE-2022-21999 published?
- CVE-2022-21999 was published on 2022-02-09 and last updated on 2026-06-17.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21999
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-21999
Affected products (19)
- cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1909:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_20h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_21h1:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_20h2:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 10 1507
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
- CVE-2025-47981 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over…
- CVE-2025-21307 — Critical (CVSS 9.8): Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
- CVE-2025-21298 — Critical (CVSS 9.8): Windows OLE Remote Code Execution Vulnerability
- CVE-2024-49112 — Critical (CVSS 9.8): Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
- CVE-2024-43491 — Critical (CVSS 9.8): Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities…
All CVEs affecting Microsoft Windows 10 1507 →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…