CVE-2022-35753 in Windows
Summary
by MITRE • 05/31/2023
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/12/2026
This vulnerability resides within the Windows Secure Socket Tunneling Protocol implementation which is a Microsoft proprietary protocol that provides secure remote access through SSL/TLS encryption. The flaw manifests in how the SSTP service processes incoming network packets, specifically when handling malformed or specially crafted tunnel establishment requests. The vulnerability stems from insufficient input validation and memory handling within the protocol stack, allowing an unauthenticated remote attacker to execute arbitrary code on the target system with the privileges of the SSTP service account. This represents a critical security flaw that directly impacts the integrity and confidentiality of remote access services. The technical implementation suffers from buffer overflow conditions and improper memory deallocation practices that create opportunities for code injection attacks.
The operational impact of this vulnerability extends beyond simple remote code execution as it provides attackers with persistent access to corporate networks through the legitimate SSTP infrastructure. Security professionals should note that the vulnerability can be exploited without authentication, making it particularly dangerous in environments where SSTP is deployed for remote worker access. The attack surface includes all Windows systems running the SSTP service, typically found in enterprise environments using Windows Server for remote access solutions. Organizations utilizing SSTP for VPN connections face significant risk as the vulnerability allows attackers to bypass traditional network security controls and establish footholds within protected environments. This vulnerability directly aligns with attack patterns documented in the ATT&CK framework under the T1071.004 technique for application layer protocol usage and T1059 for command and scripting interpreter execution.
Mitigation strategies should focus on immediate patch deployment through Microsoft's security updates, which address the underlying buffer overflow conditions and memory handling flaws. Network segmentation and firewall rules should be implemented to restrict access to SSTP ports, particularly TCP 443 and 1723, preventing unauthorized access attempts. Organizations should conduct comprehensive vulnerability assessments to identify all systems running SSTP services and evaluate their exposure to this threat. Security monitoring should be enhanced to detect anomalous tunnel establishment patterns and unusual network traffic that might indicate exploitation attempts. System administrators should consider disabling SSTP services if alternative VPN solutions are available, as the protocol's complexity increases attack surface exposure. The vulnerability's classification under CWE-121 buffer overflow conditions and CWE-125 out-of-bounds read highlights the fundamental memory safety issues that require comprehensive code review and remediation efforts. Additionally, implementing network detection systems that monitor for suspicious SSTP traffic patterns can provide early warning capabilities for potential exploitation attempts.