CVE-2022-30216

HIGH

Windows 10 and Windows 11 - Unrestricted Upload of File with Dangerous Type

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-30216. PoCs published by corelight.

AI-analyzed exploit summary This repository provides a Zeek package for detecting attempts and exploits of CVE-2022-30216, an NTLM relay attack against Windows Server. It includes installation instructions and example notices for detection.

Description

Windows Server Service Tampering Vulnerability

Exploits (1)

nomisec WRITEUP

by corelight · poc

https://github.com/corelight/CVE-2022-30216

View Code ZIP pw:eip

This repository provides a Zeek package for detecting attempts and exploits of CVE-2022-30216, an NTLM relay attack against Windows Server. It includes installation instructions and example notices for detection.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Windows Server (NTLM relay vulnerability)

No auth needed

Prerequisites: Network access to target Windows Server · Ability to intercept NTLM authentication traffic

MITRE ATT&CK

T1550.002 - Pass the Hash

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30216

Scores

CVSS v3 8.8

EPSS 0.8834

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-434

Status published

Products (6)

microsoft/windows_10 20h2 (3 CPE variants)

microsoft/windows_10 21h1 (3 CPE variants)

microsoft/windows_10 21h2 (3 CPE variants)

microsoft/windows_11 (2 CPE variants)

microsoft/windows_server_2016 20h2

microsoft/windows_server_2022

Published Jul 12, 2022

Tracked Since Feb 18, 2026