CVE-2022-21894

Vulnerability Profile Updated 3 months ago

Download STIX

Preview STIX

CVE-2022-21894, also known as "Baton Drop," is a significant vulnerability in software design or implementation that affects Windows machines. It was identified and patched by Microsoft in January 2022. This flaw bypasses security features during the device's startup process, specifically the Secure Boot feature, allowing malicious actors to gain control of endpoints during the early phase of software boot. The malware BlackLotus exploits this vulnerability, even in fully patched Windows 11 systems. To disable Secure Boot, BlackLotus uses a bootkit to exploit the Baton Drop vulnerability and deploys an older, vulnerable Windows boot loader. Notably, BlackLotus can infect Windows machines with Secure Boot enabled, thus evading one of the key security measures in place on these systems. Despite the patch released by Microsoft, the continued exploitation of this vulnerability underscores the importance of not only applying patches promptly but also maintaining vigilance for potential new attack vectors. Organizations are advised to ensure their systems are up-to-date and to monitor for any signs of intrusion, particularly during the device's startup process where the Baton Drop vulnerability is most potent.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Blacklotus	8	BlackLotus is a type of malware that has been identified as a significant threat to computer systems, specifically targeting the Unified Extensible Firmware Interface (UEFI) and Secure Boot features. It was first detected in 2022 when security researchers discovered a UEFI bootkit being sold on hack
Baton Drop	4	The Baton Drop vulnerability, designated CVE-2022-21894, is a flaw in the Windows boot loader that can be exploited to bypass Secure Boot - a security control that protects a Windows system during startup. This vulnerability was targeted by BlackLotus, a software threat that exploits two vulnerabili

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Microsoft

Bootkit

Vulnerability

Windows

Malware

Loader

Eset

Nsa

Exploits

Rootkit

Exploit

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the CVE-2022-21894 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
ESET	10 months ago	WeLiveSecurity
BankInfoSecurity	a year ago	US CISA Urges Improvements to Key Computer Component
DARKReading	a year ago	Pernicious Rootkits Pose Growing Blight On Threat Landscape
Securityaffairs	a year ago	Source code of the BlackLotus UEFI Bootkit was leaked on GitHub
CERT-EU	a year ago	Leftover Links 14/07/2023: Microsoft in Trouble With the FTC Again, This Time Over 'Open' 'AI'
CERT-EU	a year ago	BlackLotus UEFI malware source code has leaked on GitHub
Flashpoint	a year ago	Tracking Patch Tuesday Vulnerabilities
InfoSecurity-magazine	a year ago	NSA Releases Guide to Mitigate BlackLotus Bootkit Infections
CERT-EU	a year ago	NSA Releases Guide to Combat BlackLotus Malware
CERT-EU	a year ago	NSA Releases Guide to Combat BlackLotus Malware \| IT Security News
CERT-EU	a year ago	NSA: BlackLotus BootKit Patching Won't Prevent Compromise
BankInfoSecurity	a year ago	NSA Issues Remediation Guidance for BlackLotus Malware
CERT-EU	a year ago	BlackLotus bootkit patch may bring "false sense of security", warns NSA
CERT-EU	a year ago	Microsoft’s bootkit patches offer ‘false sense of security’ against BlackLotus threat, NSA says
CERT-EU	a year ago	NSA Issues Guidance on Mitigating BlackLotus Bootkit Infections
CERT-EU	a year ago	Cyber security week in review: June 23, 2023
CERT-EU	a year ago	To kill BlackLotus malware, patching is a good start, but...
Securityaffairs	a year ago	BlackLotus is first bootkit bypassing UEFI Secure Boot on Win 11
CSO Online	a year ago	BlackLotus bootkit can bypass Windows 11 Secure Boot: ESET
CERT-EU	a year ago	Март 2023 — mov ax,bx