CVE-2022-47529

MEDIUM

RSA NetWitness <12.2 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-47529. PoCs published by hyp3rlinx.

AI-analyzed exploit summary This exploit targets RSA NetWitness Platform 12.2 by manipulating insecure Win32 memory objects to modify the endpoint agent service configuration, allowing local users to stop the agent or execute arbitrary commands. The PoC demonstrates ACL modification to deny access to the 'Everyone' group, bypassing tamper-protection features.

Description

Insecure Win32 memory objects in Endpoint Windows Agents in RSA NetWitness Platform before 12.2 allow local and admin Windows user accounts to modify the endpoint agent service configuration: to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification.

Exploits (2)

exploitdb WORKING POC

by hyp3rlinx · textlocalwindows

https://www.exploit-db.com/exploits/51336

View Code ZIP pw:eip

This exploit targets RSA NetWitness Platform 12.2 by manipulating insecure Win32 memory objects to modify the endpoint agent service configuration, allowing local users to stop the agent or execute arbitrary commands. The PoC demonstrates ACL modification to deny access to the 'Everyone' group, bypassing tamper-protection features.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: RSA NetWitness Platform 12.2 and prior

No auth needed

Prerequisites: Local access to the system · RSA NetWitness Endpoint EDR Agent installed

MITRE ATT&CK

T1548.002 - Bypass User Account Control T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by hyp3rlinx · poc

https://github.com/hyp3rlinx/CVE-2022-47529