CVE-2022-47529
Description
Insecure Win32 memory objects in Endpoint Windows Agents in RSA NetWitness Platform before 12.2 allow local and admin Windows user accounts to modify the endpoint agent service configuration: to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Local users can modify RSA NetWitness Endpoint Windows Agent service configuration via insecure Win32 memory objects, disabling it or executing arbitrary code.
Vulnerability
In RSA NetWitness Platform Endpoint Windows Agents prior to version 12.2, a local user can exploit insecure Win32 memory objects (e.g., event objects) to modify the endpoint agent service configuration. The affected component is LANDeskService.exe (SHA-256 770005f9b2333bf713ec533ef1efd2b65083a5cfb9f8cbb805ccb2eba423cc3d). All versions before 12.2 are vulnerable [1][2].
Exploitation
An attacker with local access (standard user or admin) can open a handle to the Win32 memory objects held by the endpoint agent, modify the access control list (ACL) for those objects with insecure ACLs, and deny access to the Everyone group. This ACL modification allows the attacker to either stop the agent from sending events to the SIEM or make it run user-supplied commands [1]. The exploit does not require elevated privileges when performed by a standard user [2].
Impact
Successful exploitation results in either a denial-of-service (agent disabled) or arbitrary code execution with the privileges of the endpoint agent service. This bypasses the intended tamper-protection features of the agent [1][2].
Mitigation
RSA NetWitness Platform version 12.2 includes a fix for this vulnerability. Users should upgrade to version 12.2 or later to mitigate the issue. No workarounds are documented in the available references [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- RSA NetWitness Platform/Endpoint Windows Agentsdescription
- Range: <12.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- seclists.org/fulldisclosure/2023/Mar/26mitremailing-list
- seclists.org/fulldisclosure/2024/Apr/17mitremailing-list
- community.netwitness.com/t5/netwitness-platform-security/nw-2023-04-netwitness-platform-security-advisory-cve-2022-47529/ta-p/696935mitre
- hyp3rlinx.altervista.org/advisories/RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txtmitre
- packetstormsecurity.com/files/171476/RSA-NetWitness-Endpoint-EDR-Agent-12.x-Incorrect-Access-Control-Code-Execution.htmlmitre
- seclists.org/fulldisclosure/2023/Mar/16mitre
- twitter.com/hyp3rlinx/status/1639335477839790105mitre
News mentions
0No linked articles in our index yet.