CVE-2022-24521

HIGH KEV RANSOMWARE

Windows Common Log File System Driver - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2022-24521 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 13, 2022, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including uname1able.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2022-24521, a vulnerability in the Windows Common Log File System (CLFS) driver. The PoC manipulates CLFS structures to achieve arbitrary memory writes, leading to local privilege escalation (LPE) by replacing a token.

Description

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Exploits (1)

nomisec WORKING POC

by uname1able · local

https://github.com/uname1able/CVE-2022-24521

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2022-24521, a vulnerability in the Windows Common Log File System (CLFS) driver. The PoC manipulates CLFS structures to achieve arbitrary memory writes, leading to local privilege escalation (LPE) by replacing a token.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows 10/11 (CLFS driver)

No auth needed

Prerequisites: Local access to the system · Ability to execute arbitrary code

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24521

Scores

CVSS v3 7.8

EPSS 0.0730

EPSS Percentile 93.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-04-13

VulnCheck KEV 2022-04-12

InTheWild.io 2022-04-12

ENISA EUVD EUVD-2022-29401

Ransomware Use Confirmed

CWE

CWE-787

Status published

Products (19)

microsoft/windows_10_1507 < 10.0.10240.19265

microsoft/windows_10_1607 < 10.0.14393.5066

microsoft/windows_10_1809 < 10.0.17763.2803

microsoft/windows_10_1909 < 10.0.18363.2212

microsoft/windows_10_20h2 < 10.0.19042.1645

microsoft/windows_10_21h1 < 10.0.19043.1645

microsoft/windows_10_21h2 < 10.0.19044.1645

microsoft/windows_11_21h2 < 10.0.22000.613

microsoft/windows_7

microsoft/windows_8.1

... and 9 more

Published Apr 15, 2022

KEV Added Apr 13, 2022

Tracked Since Feb 18, 2026