CVE-2022-24543: Windows Upgrade Assistant Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.8)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Apr

Released

2022-04-12

Last Updated

2022-04-19

EPSS Score

1.57% (percentile: 81.5%)

FAQ

How could an attacker exploit this vulnerability? The attacker would need to trick or coerce a legitimate user into downloading and executing a specially crafted install file How do I get the update? The Windows Upgrade Assistant for Windows 10 will automatically install the fix when you navigate to https://www.microsoft.com/software-download/windows10 and click Update Now.

Affected Products (1)

Windows

• Windows Upgrade Assistant

Security Updates (1)

• Release Notes

Acknowledgments

<a href="https://twitter.com/onnoveath">JaeHeng Yoon(@onnoveath)</a> with JENBlack Soft, <a href="https://twitter.com/l33d0hyun">DoHyun Lee(@l33d0hyun)</a> with DNSLab, Korea University, <a href="https://twitter.com/SeungYun_Le2">SeungYun LEE(@SeungYun_Le2)</a>

Revision History

• 2022-04-12: Information published.
• 2022-04-19: Updated acknowledgment. This is an informational change only.