CVE-2022-41975 is a local privilege escalation vulnerability affecting RealVNC's VNC Server versions prior to 6.11.0 and VNC Viewer versions prior to 6.22.826 on Windows platforms. The vulnerability arises due to improper handling of the MSI installer Repair mode, which can be exploited by a local attacker with limited privileges to escalate their rights to higher privilege levels, potentially SYSTEM-level. The CVSS 3.1 base score of 7.8 reflects a high severity, indicating significant impact on confidentiality, integrity, and availability. The attack vector is local (AV:L), requiring low attack complexity (AC:L) and low privileges (PR:L), but no user interaction (UI:N). The scope remains unchanged (S:U). Exploiting this flaw allows an attacker to gain elevated privileges, which can lead to full system compromise, unauthorized access to sensitive data, and the ability to install persistent malware or manipulate system configurations. Although no known exploits are reported in the wild, the vulnerability represents a critical risk for environments where RealVNC software is deployed, especially in enterprise or managed service contexts where remote desktop solutions are common. The vulnerability is categorized under CWE-269 (Improper Privilege Management), highlighting a failure to enforce proper access control during MSI repair operations. The lack of available patches at the time of reporting underscores the urgency for affected organizations to apply updates once released or implement compensating controls.

For European organizations, this vulnerability poses a significant threat, particularly in sectors relying heavily on remote desktop technologies for IT management, support, and operational continuity. Successful exploitation could allow attackers to bypass user privilege restrictions, leading to unauthorized access to critical systems and sensitive information. This can result in data breaches, disruption of services, and potential lateral movement within corporate networks. Given the high confidentiality, integrity, and availability impact, organizations in finance, healthcare, government, and critical infrastructure sectors are at heightened risk. Moreover, the local nature of the exploit means that insider threats or attackers who have gained limited access through other means could leverage this vulnerability to escalate privileges and deepen their foothold. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks, especially as threat actors often reverse-engineer disclosed vulnerabilities to develop exploits. European organizations must therefore prioritize vulnerability management and monitoring to mitigate potential exploitation.

1. Immediate application of vendor patches and updates once available is the most effective mitigation. Organizations should monitor RealVNC advisories closely. 2. Until patches are released, restrict local user permissions to the minimum necessary, preventing untrusted users from accessing systems with RealVNC installed. 3. Implement strict application whitelisting and endpoint protection to detect and block unauthorized MSI repair operations or suspicious installer activity. 4. Employ robust logging and monitoring of MSI installer events and privilege escalation attempts to enable rapid detection and response. 5. Use network segmentation to limit access to systems running vulnerable RealVNC versions, reducing the risk of local exploitation by unauthorized users. 6. Educate IT staff and users about the risks of local privilege escalation and enforce policies to prevent the execution of untrusted installers or scripts. 7. Consider alternative remote access solutions with a stronger security posture if patching is delayed or not feasible in the short term.