CVE-2022-21894

MEDIUM EXPLOITED IN THE WILD

Windows 10, 11, 8.1, Server 2012, and Server - Secure Boot Security Feature Bypass

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-21894 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 6 public exploits from researchers including Wack0, ASkyeye, nova-master.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2022-21894, a Secure Boot bypass vulnerability in Windows Boot Applications. The exploit leverages the `truncatememory` BCD element to remove the serialised Secure Boot policy from memory, allowing dangerous settings to be used.

Description

Secure Boot Security Feature Bypass Vulnerability

Exploits (6)

nomisec WORKING POC 349 stars
by Wack0 · local
https://github.com/Wack0/CVE-2022-21894

This repository contains a proof-of-concept exploit for CVE-2022-21894, a Secure Boot bypass vulnerability in Windows Boot Applications. The exploit leverages the `truncatememory` BCD element to remove the serialised Secure Boot policy from memory, allowing dangerous settings to be used.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Complex
Reliability
Reliable
Target: Windows Boot Applications (bootmgr, winload, hvloader)
No auth needed
Prerequisites: Physical access or ability to modify boot configuration · Vulnerable Windows Boot Application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 15 stars
by ASkyeye · local
https://github.com/ASkyeye/CVE-2022-21894-Payload

This PoC demonstrates exploitation of CVE-2022-21894 by mapping a second-stage payload to call EFI services. It allocates executable memory and copies an EFI application into it, then executes it in firmware context.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows Boot Manager (bootmgfw.efi) on Windows 10/11 (19041)
No auth needed
Prerequisites: Local access to a vulnerable system · Ability to execute code in the boot environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 10 stars
by Wack0 · local
https://github.com/Wack0/batondrop_armv7

This repository contains a working exploit for CVE-2022-21894, targeting ARMv7-based Windows RT devices (MSM8960). The exploit leverages a baton drop technique to achieve code execution by loading unsigned EFI payloads via a modified boot process.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows RT (ARMv7, MSM8960)
No auth needed
Prerequisites: Physical access to the device · USB device with GPT FAT32 partition · Unsigned EFI boot application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by nova-master · local
https://github.com/nova-master/CVE-2022-21894-Payload-New

This PoC exploits CVE-2022-21894, a vulnerability in Windows Boot Manager, by leveraging a crafted EFI application to achieve arbitrary code execution in the firmware context. The code demonstrates memory allocation and context switching to execute payloads in a privileged environment.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows Boot Manager (affected versions of Windows 10/11)
No auth needed
Prerequisites: Physical or administrative access to the target system · Ability to modify boot configuration or deploy malicious EFI applications
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by qjawls2003 · poc
https://github.com/qjawls2003/BlackLotus-Detection

This repository provides detection methods and guidance for investigating CVE-2022-21894, a vulnerability related to the BlackLotus bootkit. It includes commands for checking EFI partition files, registry settings, and event logs, but does not contain exploit code.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows EFI bootloader
No auth needed
Prerequisites: Access to the EFI system partition · Administrative privileges for registry and event log queries
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by bakedmuffinman · poc
https://github.com/bakedmuffinman/BlackLotusDetection

This PowerShell script detects indicators of compromise (IOCs) for CVE-2022-21894 (BlackLotus UEFI bootkit) by checking the EFI partition for suspicious files, registry keys, and generating hashes of EFI files. It outputs findings to a text file for analysis.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Windows systems with UEFI firmware (affected by BlackLotus bootkit)
Auth required
Prerequisites: Local administrative privileges · Access to the EFI partition
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 4.4
EPSS 0.0657
EPSS Percentile 92.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

VulnCheck KEV 2023-03-01
InTheWild.io 2023-03-01
CWE
CWE-863
Status published
Products (15)
microsoft/windows_10 (2 CPE variants)
microsoft/windows_10 20h2 (3 CPE variants)
microsoft/windows_10 21h1 (3 CPE variants)
microsoft/windows_10 21h2 (3 CPE variants)
microsoft/windows_10 1607 (2 CPE variants)
microsoft/windows_10 1809 (3 CPE variants)
microsoft/windows_10 1909 (3 CPE variants)
microsoft/windows_11 (2 CPE variants)
microsoft/windows_8.1 (2 CPE variants)
microsoft/windows_server 20h2
... and 5 more
Published Jan 11, 2022
Tracked Since Feb 18, 2026