CVE-2022-35767 in Windows
Summary
by MITRE • 08/10/2022
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34702, CVE-2022-34714, CVE-2022-35745, CVE-2022-35752, CVE-2022-35753, CVE-2022-35766, CVE-2022-35794.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/29/2025
The Windows Secure Socket Tunneling Protocol SSTP remote code execution vulnerability represents a critical security flaw that affects the secure communication framework used by enterprise networks for remote access. This vulnerability specifically targets the SSTP implementation within Microsoft Windows operating systems, which is designed to provide encrypted tunneling for remote connections through the Secure Sockets Layer protocol. The flaw enables malicious actors to execute arbitrary code on affected systems, potentially leading to complete system compromise and unauthorized access to sensitive corporate data. Unlike other related vulnerabilities such as CVE-2022-34702 and CVE-2022-34714 that affect different components of the Windows security stack, CVE-2022-35767 maintains its distinct classification due to the specific nature of the SSTP protocol implementation that contains the exploitable condition.
The technical implementation of this vulnerability stems from improper input validation within the SSTP service handling mechanism. When the SSTP client or server processes incoming network packets, the protocol fails to adequately validate certain parameters within the tunnel establishment process, creating a condition where crafted malicious input can trigger memory corruption. This memory corruption vulnerability typically manifests as buffer overflow conditions or heap corruption that can be exploited by attackers to overwrite critical memory locations with malicious code. The vulnerability is classified under CWE-121 for heap-based buffer overflow and CWE-787 for out-of-bounds write conditions, both of which are fundamental weaknesses in memory management that enable arbitrary code execution. The attack surface is particularly concerning as SSTP is commonly deployed in enterprise environments for remote worker access and VPN connectivity, making it a prime target for sophisticated threat actors.
The operational impact of CVE-2022-35767 extends beyond simple remote code execution to encompass complete network compromise and data exfiltration capabilities. Once successfully exploited, attackers can establish persistent backdoors, escalate privileges to SYSTEM level access, and move laterally within the network infrastructure. The vulnerability affects multiple Windows versions including Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022, creating widespread exposure across enterprise environments. Security researchers have identified that the vulnerability can be exploited through network-based attacks without requiring authentication, making it particularly dangerous for organizations with exposed SSTP services. The attack vector aligns with ATT&CK technique T1071.004 for application layer protocol tunneling, where adversaries establish covert communication channels through legitimate network protocols. Organizations running SSTP services are at significant risk of targeted attacks, especially those with insufficient network segmentation and monitoring capabilities.
Mitigation strategies for CVE-2022-35767 require immediate implementation of Microsoft security patches and comprehensive network monitoring measures. The primary defense mechanism involves applying the relevant security updates released by Microsoft through Windows Update or Microsoft Update Catalog, which address the specific memory corruption issues within the SSTP implementation. Organizations should also consider disabling SSTP services on systems where they are not required, particularly in environments where alternative VPN solutions such as IKEv2 or L2TP are available. Network administrators should implement strict firewall rules to limit access to SSTP ports and monitor for unusual tunnel establishment patterns that might indicate exploitation attempts. The vulnerability's classification under ATT&CK technique T1190 for exploit for client execution and T1059.001 for command and scripting interpreter highlights the need for endpoint detection and response solutions that can identify suspicious process execution patterns and anomalous network traffic. Additionally, organizations should conduct thorough vulnerability assessments to identify all systems running SSTP services and implement network segmentation to limit the potential impact of successful exploitation. The remediation process must include comprehensive testing of patches in controlled environments before deployment to ensure compatibility with existing network infrastructure and business applications.