CVE-2022-26809

CRITICAL EXPLOITED RANSOMWARE

Microsoft Windows RPC Runtime - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-26809 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 10 public exploits from researchers including fuckjsonp, s1ckb017, yuanLink.

AI-analyzed exploit summary This repository describes a honeypot mechanism targeting red team members using mobile hotspots, focusing on tracing attackers by capturing their phone numbers via JavaScript. It includes details on detecting debug modes and Burp Suite vulnerabilities, along with a list of APIs used for tracing.

Description

Remote Procedure Call Runtime Remote Code Execution Vulnerability

Exploits (10)

nomisec WRITEUP 410 stars
by fuckjsonp · poc
https://github.com/fuckjsonp/FuckJsonp-RCE-CVE-2022-26809-SQL-XSS-FuckJsonp

This repository describes a honeypot mechanism targeting red team members using mobile hotspots, focusing on tracing attackers by capturing their phone numbers via JavaScript. It includes details on detecting debug modes and Burp Suite vulnerabilities, along with a list of APIs used for tracing.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Theoretical
Target: N/A
No auth needed
Prerequisites: Attacker using a mobile hotspot · Victim interacting with the honeypot
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 107 stars
by s1ckb017 · dos
https://github.com/s1ckb017/PoC-CVE-2022-26809

This PoC exploits CVE-2022-26809, an integer overflow vulnerability in the RPC runtime library, by sending maliciously crafted DCERPC packets to trigger a denial-of-service (DoS) condition. It overrides Impacket's transport functions to manipulate packet fragmentation and alloc hints, leading to a crash in the target system.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows RPC runtime library (affects multiple Windows versions)
Auth required
Prerequisites: Network access to the target RPC endpoint · Valid credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 61 stars
by yuanLink · poc
https://github.com/yuanLink/CVE-2022-26809

This repository contains a working PoC for CVE-2022-26809, which coerces NTLM authentication from Windows hosts via EFS-RPC. The exploit leverages multiple methods in the EFS protocol to force authentication to an attacker-controlled SMB server.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Windows Server (EFS-RPC)
No auth needed
Prerequisites: Network access to target · Attacker-controlled SMB server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 33 stars
by corelight · poc
https://github.com/corelight/cve-2022-26809

This repository provides detection logic for CVE-2022-26809, a remote code execution vulnerability in DCE/RPC. It includes Zeek scripts to generate notices for exploit attempts and successful exploitation.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft DCE/RPC
No auth needed
Prerequisites: Network access to vulnerable DCE/RPC service
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB 27 stars
by websecnl · poc
https://github.com/websecnl/CVE-2022-26809

The repository contains a README detailing CVE-2022-26809, an RPC vulnerability in Windows, but the exploit.py file is a non-functional stub with no working exploit code. The author notes the PoC is still in development.

Classification
Stub 90%
Attack Type
Rce
Complexity
Complex
Reliability
Theoretical
Target: Windows RPC (rpcrt4.dll) on various Windows versions
No auth needed
Prerequisites: Network access to target SMB/RPC service · Unpatched Windows host
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB 20 stars
by sherlocksecurity · poc
https://github.com/sherlocksecurity/Microsoft-CVE-2022-26809-The-Little-Boy

This repository is a placeholder for a future PoC for CVE-2022-26809, an RCE vulnerability in Microsoft RPC. It currently contains no functional exploit code, only a README indicating intent to provide a one-click RCE.

Classification
Stub 90%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: Microsoft RPC (specific version not specified)
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 7 stars
by auduongxuan · poc
https://github.com/auduongxuan/CVE-2022-26809

This is a Python-based exploit for CVE-2022-26809 (PrintNightmare), which leverages the MS-RPRN protocol to achieve remote code execution by adding a malicious printer driver. The exploit interacts with the Windows Print Spooler service to stage and execute arbitrary DLLs.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows Print Spooler Service (spoolsv.exe)
Auth required
Prerequisites: Valid credentials or NTLM hashes for authentication · Network access to the target's SMB service (port 445 or 139) · A writable SMB share hosting the malicious DLL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by michealadams30 · poc
https://github.com/michealadams30/Cve-2022-26809

This repository contains a proof-of-concept exploit for CVE-2022-26809, a vulnerability in the Windows RPC runtime library (rpcrt4.dll). The exploit triggers an integer overflow in the `OSF_CASSOCIATION::ProcessBindAckOrNak` function by sending a specially crafted RPC request, similar to the exploitation method used in CVE-2021-43893.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: Windows RPC runtime library (rpcrt4.dll)
Auth required
Prerequisites: Access to a vulnerable Windows system · Network connectivity to the target · Valid credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SUSPICIOUS
by oppongjohn · poc
https://github.com/oppongjohn/CVE-2022-26809-RCE

The repository claims to be a PoC for CVE-2022-26809 but only contains a README with a link to an external payment site, which is highly unusual for legitimate exploit PoCs.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Unknown
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by Lay0us · poc
https://github.com/Lay0us/CVE-2022-26809-RCE

This repository claims to be a PoC for CVE-2022-26809 (RPC-based RCE in Windows) but contains non-functional code with a disclaimer stating it does not work. The script attempts to bind to the Spooler service but lacks proper exploit logic.

Classification
Stub 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Microsoft Windows (Spooler Service)
Auth required
Prerequisites: Network access to target · Valid credentials (if auth is enforced)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.9181
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2022-04-14
Ransomware Use Confirmed
Status published
Products (19)
microsoft/windows_10
microsoft/windows_10 20h2
microsoft/windows_10 21h1
microsoft/windows_10 21h2
microsoft/windows_10 1607
microsoft/windows_10 1809
microsoft/windows_10 1909
microsoft/windows_11 (2 CPE variants)
microsoft/windows_7
microsoft/windows_8.1
... and 9 more
Published Apr 15, 2022
Tracked Since Feb 18, 2026