Windows Group Policy is a key feature that allows organizations to centrally manage security and configuration settings for users and computers in an Active Directory environment. However, a critical flaw was found — tracked as CVE-2022-37992 — which could let attackers get SYSTEM privileges, potentially taking over affected machines. This post breaks down the vulnerability, original references, exploitation details, and shares practical code snippets in an easy-to-digest manner. If you’re responsible for Windows security, read closely.
What is CVE-2022-37992?
CVE-2022-37992 is an "Elevation of Privilege" vulnerability specifically in the Windows Group Policy feature. It is different from CVE-2022-41086 (another Group Policy EoP flaw), so make sure not to mix these up.
Microsoft’s summary (official CVE page):
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Microsoft rated it as Important with a CVSS of 7.8 (High).
Patched in November 2022's Patch Tuesday.
How Does the Vulnerability Work?
Group Policy allows admin consoles to push settings/scripts to remote computers. A flaw in the way scripts or policies are handled could let a normal user run code as SYSTEM.
Prior to the patch, attackers could abuse a logic flaw related to how Group Policy scripts are downloaded and executed. If an attacker can convince Windows to run their own script (for example, by controlling a path or manipulating certain policy configurations), they could run commands with the highest system privileges.
Group Policy allows scripts to run on logon, startup, etc.
- The Group Policy server/share is poorly secured or certain files are writable.
Attack Steps
1. Locate a writable GPO folder/share.
Proof-of-Concept Code (POC)
Below is a simple code snippet that an attacker might use if they have access to the GPO scripts location. They drop a malicious batch file, which will run as SYSTEM next Group Policy update.
:: evil_script.bat - Spawn a SYSTEM shell
@echo off
echo Running as: %USERNAME%
net user attacker P@sswrd! /add
net localgroup administrators attacker /add
Then, they’d place evil_script.bat in the \\domaincontroller\SYSVOL\domain\scripts\ folder or as a Startup/Logon script in the Group Policy Object.
To trigger the Group Policy update
gpupdate /force
If exploited, the attacker now has a new local admin (named attacker) on the target machine.
Install the November 2022 security updates.
Microsoft Security Update Guide for CVE-2022-37992
- Restrict SYSVOL/NETLOGON shares:
Microsoft Advisory:
Rapid7 Analysis:
Rapid7 Threat Analysis on Patch Tuesday November 2022
SANS Internet Storm Center Diary:
Wrapping Up
CVE-2022-37992 is a serious flaw that could help attackers jump from regular user to full SYSTEM rights — the holy grail for any Windows attacker. The issue is rooted in the way Group Policy processes scripts and trust. If you administrate Windows servers or domains, patch ASAP, audit your shares and group policies, and be careful who can write to sensitive Group Policy locations.
Remember: A patch half-applied is the same as no patch at all.
Stay Secure!
Feel free to share your experience or questions below.
Timeline
Published on: 11/09/2022 22:15:00 UTC
Last modified on: 11/10/2022 00:33:00 UTC