CVE-2022-26904

HIGH KEV

Windows User Profile Service - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2022-26904 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 25, 2022. EIP tracks 1 public exploit from researchers including KLINIX5, Grant Willcox, including a Metasploit module exploits/windows/local/cve_2022_26904_superprofile.

AI-analyzed exploit summary This Metasploit module exploits CVE-2022-26904, a local privilege escalation vulnerability in the Windows User Profile Service (ProfSrv) due to insufficient checks in the CreateDirectoryJunction() function. It allows an attacker to plant a malicious DLL in a system directory and execute it as NT AUTHORITY\SYSTEM via a UAC prompt.

Description

Windows User Profile Service Elevation of Privilege Vulnerability

Exploits (1)

metasploit WORKING POC EXCELLENT

by KLINIX5, Grant Willcox · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2022_26904_superprofile.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-26904, a local privilege escalation vulnerability in the Windows User Profile Service (ProfSrv) due to insufficient checks in the CreateDirectoryJunction() function. It allows an attacker to plant a malicious DLL in a system directory and execute it as NT AUTHORITY\SYSTEM via a UAC prompt.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 10/11 and Windows Server 2022 (specific builds)

Auth required

Prerequisites: Secondary non-admin user credentials · UAC set to 'Always Notify Me When' · Target user must have logged in at least once

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26904

Scores

CVSS v3 7.0

EPSS 0.0974

EPSS Percentile 94.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-04-25

VulnCheck KEV 2022-04-14

InTheWild.io 2022-04-14

ENISA EUVD EUVD-2022-31451

CWE

CWE-362

Status published

Products (19)

microsoft/windows_10_1507 < 10.0.10240.19265

microsoft/windows_10_1607 < 10.0.14393.5066

microsoft/windows_10_1809 < 10.0.17763.2803

microsoft/windows_10_1909 < 10.0.18363.2212

microsoft/windows_10_20h2 < 10.0.19042.1645

microsoft/windows_10_21h1 < 10.0.19043.1645

microsoft/windows_10_21h2 < 10.0.19044.1645

microsoft/windows_11_21h2 < 10.0.22000.613

microsoft/windows_7

microsoft/windows_8.1

... and 9 more

Published Apr 15, 2022

KEV Added Apr 25, 2022

Tracked Since Feb 18, 2026