CVE-2022-24499 - Windows Installer Elevation of Privilege Vulnerability Explained

In early 2022, Microsoft disclosed a serious security flaw, tracked as CVE-2022-24499, in the Windows Installer service. This bug allows attackers to get *elevated privileges* on a Windows system — in simple terms, standard users could become SYSTEM, the most powerful user account on Windows. This vulnerability is distinct from the similar-sounding CVE-2022-24530.

This post breaks down how CVE-2022-24499 works, who’s at risk, and shows you (educational only!) what exploitation might look like, using clear examples and official resources.

What is Windows Installer?

Windows Installer (msiexec.exe) is a service built into Windows that helps install, maintain, and remove software. Since it often works with system files, it has high-level privileges — that's a security risk if there's a bug.

About CVE-2022-24499

- CVE ID: CVE-2022-24499 (NIST)

What’s the problem?

Windows Installer had a logic bug in how it handled certain operations. A regular, limited user could trick Windows Installer into running code (like a program or a script) as SYSTEM — the highest administrative privilege. If an attacker successfully exploited the bug, they could:

Technical Details

Microsoft’s security advisory kept details vague to prevent easy exploitation. However, security researchers have since analyzed and shared how it works. The flaw is related to how Windows Installer handles file operations with symbolic links (symlinks).

When a user uninstalls or rolls back an MSI package, Windows Installer removes certain files.

- The uninstaller process could be tricked into working on arbitrary files via symlinks, because it trusted file paths in a certain way.
- If an attacker placed a symlink pointing, say, to a sensitive system file (like C:\Windows\System32\config\SAM), the uninstaller would delete or modify it with SYSTEM privileges.
- Alternatively, attacker could overwrite a privileged file with malicious content — leading to code execution as SYSTEM.

Get Access: Attacker needs an account on the target (often with standard user privileges).

2. Prepare Files/Folders: Create a directory and files in a user-writable spot (like %TEMP%).

Set Up Symlink: Replace a target file with a symbolic link pointing to a victim system file.

4. Trigger Uninstall: User or attacker runs an uninstallation (or rollback) of a vulnerable MSI package.
5. Privilege Escalation: The installer follows the symlink and modifies/deletes/overwrites the system file as SYSTEM.

Example Code Snippet (Python)

Note: This is for educational ONLY — Do not use on systems you do not own!

import os
import subprocess

# Directories
user_temp = os.getenv("TEMP")
target_file = os.path.join(user_temp, "file_to_be_deleted.txt")
system_file = "C:\\Windows\\System32\\drivers\\etc\\hosts"

# 1. Remove old target if it exists
if os.path.exists(target_file):
    os.remove(target_file)

# 2. Create a symlink (requires SeCreateSymbolicLinkPrivilege)
os.symlink(system_file, target_file)

print(f"Created symlink: {target_file} -> {system_file}")

# 3. Now, trigger the MSI uninstall that will cause Windows Installer to try to delete 'file_to_be_deleted.txt'
# It will delete the 'hosts' file as SYSTEM instead!
subprocess.run(['msiexec', '/x', 'VulnerablePackage.msi', '/qn'])
# '/x' = uninstall, '/qn' = quiet mode (no user interface)

Demo Scenario: This code creates a symlink from a user-accessible file to a SYSTEM file. When the MSI uninstallation runs (and tries to delete "file_to_be_deleted.txt"), it will instead delete the "hosts" file as SYSTEM. This could be adapted to overwrite files or run code as SYSTEM.

Real-World Exploits

Several public references outline in-depth exploitation and proof-of-concept (PoC) attacks. (For safety, some links only describe the method, not actual working code.)

- CVE-2022-24499: Windows Installer EoP Analysis (GitHub Gist by Oliver Lyak)
- NVD Entry
- Microsoft Advisory
- Windows Installer Symlink Attack Research (twitter thread)

What Makes CVE-2022-24499 Different from CVE-2022-24530?

Both vulnerabilities affect Windows Installer, but they arise from different bugs and have different exploit techniques. *Exploits and patches for one do not apply to the other.*

CVE-2022-24530: Involved different MSI logic and attack surface.

- CVE-2022-24499: Focused on symbolic link issues during file removal/deletion.

References for CVE-2022-24530:  
- Microsoft CVE-2022-24530

How to Stay Safe

Patches:

Install all available security updates.

Workarounds:  
If updating is not possible, make sure normal users cannot write to system directories, and audit MSI usage. Restrict the use of removable media and downloads from untrusted sources.

Final Words

CVE-2022-24499 is a textbook example of how small mistakes in privileged system tools can lead to full compromise. Always keep your system updated, and for IT admins, review permissions and ensure only trusted users can install or uninstall software.

Learn more

- Microsoft Security Response Center - CVE-2022-24499
- NVD Detail & References
- Oliver Lyak’s Symlink PoC (analysis)

Timeline

Published on: 04/15/2022 19:15:00 UTC
Last modified on: 04/22/2022 15:42:00 UTC