CVE-2022-38028:
A local elevation-of-privilege vulnerability in the Windows Print Spooler (CVE-2022-38028) could allow a low-privileged attacker to run code with SYSTEM privileges, potentially taking full control of affected Windows systems; patches are available and should be applied across the impacted Windows client and server releases.
Score
A numerical rating that indicates how dangerous this vulnerability is.
7.8High- Published Date:Oct 11, 2022
- CISA KEV Date:Apr 23, 2024
- Industries Affected:20
560 DaysThreat Predictions
- EPSS Score:5.0
- EPSS Percentile:90%
Exploitability
- Score:1.8
- Attack Vector:LOCAL
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
A local elevation-of-privilege vulnerability in the Windows Print Spooler (CVE-2022-38028) could allow a low-privileged attacker to run code with SYSTEM privileges, potentially taking full control of affected Windows systems; patches are available and should be applied across the impacted Windows client and server releases.
Overview
CVE-2022-38028 is a local elevation-of-privilege vulnerability in the Windows Print Spooler service that affects a broad set of Windows client and server versions. With a CVSS v3.1 base score of 7.8, it requires low privileges and is exploitable locally without user interaction, potentially allowing an attacker to execute code with SYSTEM privileges and fully compromise a machine. The risk is mitigated by applying the Microsoft security updates that address the flaw; where patching is not possible, organizations should consider disabling the Print Spooler service on endpoints that do not require printing or applying other spooler-related mitigations. The vulnerability is documented in Microsoft’s advisory and CVE references, and it has been tracked by security advisories and catalogs.
Remediation
- Apply the Microsoft security updates that fix CVE-2022-38028 across all affected systems (via Windows Update, WSUS, or enterprise management tools) and reboot as required. Verify the patches have been successfully installed and that systems report updated build numbers.
- If patch deployment cannot be completed immediately, mitigate by disabling the Print Spooler service on systems where printing is not required (e.g., servers that do not host printers or endpoints without printer use). Set the service to Disabled or stop the service and block spooler-related activity where appropriate.
- For systems that must retain printing capabilities, minimize exposure by restricting spooler functionality and access (e.g., limit network spooler usage, apply least privilege for spooler operations, and consider network segmentation for printing-related hosts).
- Enable ongoing patch management and monitor Microsoft advisories for any additional guidance or follow-up fixes. Validate patch status with asset inventories and vulnerability scanners.
- After patching or applying mitigations, test printing functionality and verify that the spooler service operates normally without exposing exploitable conditions.
References
- - [Microsoft MSRC - CVE-2022-38028](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38028)
- - [CISA Known Exploited Vulnerabilities Catalog - CVE-2022-38028](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2022-38028)
- - [CVE Program Container - Advisory for CVE-2022-38028](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38028)
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Apr 22, 2024
- CISA KEV Date:Apr 23, 2024
- Days Early:560 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
