CVE-2022-3699

HIGH EXPLOITED

Lenovo Diagnostics < 4.45.0 and HardwareScan Plugin < 1.3.1.2 - Privilege Escalation via Out-of-bounds Write

Title source: llm

Exploitation Summary

CVE-2022-3699 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including alfarom256, estimated1337, Eap2468, including a Metasploit module exploits/windows/local/cve_2022_3699_lenovo_diagnostics_driver.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2022-3699, demonstrating arbitrary read/write operations in physical and virtual memory via a vulnerable Lenovo driver. The code includes methods for memory manipulation and pattern searching, indicative of a local privilege escalation exploit.

Description

A privilege escalation vulnerability was reported in the Lenovo HardwareScanPlugin prior to version 1.3.1.2 and Lenovo Diagnostics prior to version 4.45 that could allow a local user to execute code with elevated privileges.

Exploits (5)

nomisec WORKING POC 178 stars

by alfarom256 · local

https://github.com/alfarom256/CVE-2022-3699

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2022-3699, demonstrating arbitrary read/write operations in physical and virtual memory via a vulnerable Lenovo driver. The code includes methods for memory manipulation and pattern searching, indicative of a local privilege escalation exploit.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Lenovo driver (specific version not specified)

No auth needed

Prerequisites: Access to the vulnerable Lenovo driver · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 71 stars

by estimated1337 · local

https://github.com/estimated1337/lenovo_exec

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-3699, demonstrating arbitrary kernel code execution. The code includes PDB parsing and memory management utilities to facilitate the exploit.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Lenovo drivers (specific version not specified)

No auth needed

Prerequisites: Access to a vulnerable Lenovo system · Ability to execute code on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by Eap2468 · local

https://github.com/Eap2468/CVE-2022-3699

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-3699, leveraging physical memory read/write operations via a vulnerable driver to achieve local privilege escalation (LPE) on Windows systems. The exploit dynamically resolves kernel structures and manipulates page tables to overwrite the token of the current process with that of the SYSTEM process.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows Kernel (specific driver not explicitly named, but leverages vulnerable driver with IOCTL codes 0x222010 and 0x222014)

No auth needed

Prerequisites: Vulnerable driver loaded on the system · Administrative or SYSTEM privileges to interact with the driver

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

vulncheck_xdb WORKING POC

local

https://github.com/Marc-andreLabonte/AnalyseDynamiqueModulesKernel

View Code ZIP pw:eip

This repository contains a Go-based exploit PoC for CVE-2022-3699, targeting a Windows kernel driver vulnerability. It includes a fuzzer and an exploit skeleton that attempts to read/write kernel memory via IOCTL calls, though it notes difficulty in reproducing certain techniques from the referenced exploit.

Classification

Working Poc 80%

Attack Type

Lpe

Complexity

Moderate

Reliability

Theoretical

Target: Windows kernel driver (specific driver not explicitly named)

No auth needed

Prerequisites: Access to the vulnerable driver · Ability to execute code on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 25, 2026 Full analysis →

metasploit WORKING POC GOOD

by alfarom256, jheysel-r7 · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2022_3699_lenovo_diagnostics_driver.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-3699, a vulnerability in the Lenovo Diagnostics Driver that allows arbitrary physical/virtual memory read/write via IOCTL due to incorrect access control. It achieves local privilege escalation by injecting a reflective DLL payload.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Lenovo Diagnostics Driver (affecting various Windows versions)

No auth needed

Prerequisites: Local access to a vulnerable Windows system with the Lenovo Diagnostics Driver installed · Meterpreter session

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory

https://support.lenovo.com/us/en/product_security/LEN-102365

Vendor Advisory

https://support.lenovo.com/us/en/product_security/LEN-94532

Scores

CVSS v3 7.8

EPSS 0.0428

EPSS Percentile 89.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

VulnCheck KEV 2024-12-19

CWE

CWE-787

Status published

Products (3)

lenovo/diagnostics < 4.45.0

lenovo/hardwarescan_addin < 2.4.1.1

lenovo/hardwarescan_plugin < 1.3.1.2

Published Oct 25, 2023

Tracked Since Feb 18, 2026