CVE-2022-45770

Vulnerability

CVE-2022-45770 is a local privilege escalation vulnerability in the AdGuard for Windows WFP driver (adgnetworkwfpdrv.sys) prior to version 7.11. The vulnerability is due to improper input validation in the driver's IOCTL handler, which allows an attacker to send crafted requests that trigger a buffer overflow or other memory corruption. The affected versions include all AdGuard for Windows x86 releases through 7.11 [1][2].

Exploitation

An attacker requires local access to the system with low privileges (e.g., a standard user account). The exploit involves sending specially crafted IOCTL codes to the device object exposed by adgnetworkwfpdrv.sys. By manipulating input buffers, the attacker can trigger an out-of-bounds write or other memory corruption within kernel space. A public proof-of-concept exploit exists on GitHub that demonstrates the steps required to achieve exploitation [3].

Impact

Successful exploitation results in arbitrary kernel-mode code execution, enabling the attacker to escalate privileges from a low-privileged user to NT AUTHORITY\SYSTEM. This grants full control over the targeted system, including the ability to read sensitive data, install persistent malware, or disable security software [2][3].

Mitigation

AdGuard released a patched version 7.11.4078.0 on July 25, 2022, which resolves the vulnerability by improving input validation in the WFP driver [1]. Users should update to this version or later. No other workarounds are known, and the vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. If updating is not possible, users should limit local access to trusted individuals.