CISA: Hackers Actively Exploiting Windows Print Spooler Privilege Escalation Flaw

On February 2022 Patch Tuesday, Microsoft released a patch to fix a high severity Windows Print Spooler privilege escalation vulnerability, tracked as CVE-2022-22718, which was one of four privilege escalation vulnerabilities in the Windows Print Spooler component to be patched on February 8. The vulnerability was assigned a CVSS severity score of 7.8 out of 10 and was marked as ‘exploitation more likely’. Hackers can exploit the flaw locally without any user interaction to elevate privileges in a low-complexity attack.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added the vulnerability to its Known Exploited Vulnerabilities Catalog as evidence has been found of hackers exploiting the vulnerability in the wild. CISA also added a further two vulnerabilities to the Exploited Vulnerabilities Catalog on April 19, 2022.

CVE-2018-6882 is a cross-site scripting (XSS) vulnerability in the Zimbra Collaboration Suite (ZCS). The vulnerability has a CVSS severity score of 6.1 and is rated medium severity but is being actively exploited. The flaw allows remote attackers to inject an arbitrary web script or HTML via a Content-Location header in an email attachment.

The vulnerability is known to have been exploited in phishing attacks on government agencies in Ukraine. The attacks aim to deliver the IcedID banking Trojan, according to a recent security advisory from the Computer Emergency Response Team of Ukraine (CERT-UA). The attacks start with a phishing email that includes an Excel spreadsheet attachment that includes a malicious macro that, if allowed to run, will deliver IcedID. While IcedID started life as a banking Trojan, it is now used for a range of malicious purposes, including stealing sensitive files and delivering secondary payloads such as ransomware. Emails have also been identified that include image attachments with a content-location header that points to a remote server hosting malicious JavaScript code, which exploits the Zimbra XSS vulnerability. That leads to the injection of malicious JavaScript code that forwards the victims’ emails to an attacker-owned email address.

CISA has also added the CVE-2019-3568 vulnerability to the Known Exploited Vulnerabilities Catalog. This bug is a WhatsApp VOIP Stack Buffer Overflow vulnerability that has a CVSS severity score of 9.8, which allows remote code execution via a specially crafted series of RTCP packets sent to a target phone number.

CISA has issued a binding operational directive (BOD 22-01) for all Federal Civilian Executive Branch Agencies (FCEB) that requires them to patch the three vulnerabilities within 3 weeks. While the BOD only applies to federal agencies, CISA has encouraged all organizations to patch these vulnerabilities to prevent exploitation.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of