Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Windows JScript9 Remote Code Execution Vulnerability

IdentifiersCVE-2022-41128CWE-416

CVE-2022-41128 is a Windows Scripting Languages remote code execution vulnerability in the JScript9 component. The provided content states it affects JScript9, and in some reporting is grouped with Windows scripting language issues affecting JScript9 and Chakra. Microsoft and third-party reporting describe the flaw as exploitable when a target is tricked into visiting a specially crafted, attacker-controlled website or server. The vulnerability was reported by Google TAG researchers Benoît Sevens and Clément Lecigne, and Microsoft indicated it had been exploited in the wild at the time of patching in November 2022. The supplied content does not provide a vendor-confirmed root-cause description for CVE-2022-41128 specifically, but given the available information and the common class of JScript engine RCE issues, the most supportable CWE mapping from the provided material is a memory-safety/use-after-free style flaw.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote code execution in the security context of the current user. In observed activity referenced in the content, the vulnerability was used in spear-phishing and web-based attack chains associated with North Korean activity, enabling malware delivery and follow-on compromise. If the victim is running with elevated privileges, the attacker may gain correspondingly higher control over the system. The practical impact includes execution of arbitrary payloads, installation of malware, persistence, data theft, and use of the compromised host as a foothold for further intrusion activity.

Mitigation

If you can’t patch tonight, do this now.

Until patching is fully deployed, reduce exposure by limiting or monitoring access to untrusted websites and attacker-controlled content, especially in phishing-driven scenarios. Harden email and web filtering to block malicious links and attachments used to drive victims to exploit infrastructure. Apply least-privilege controls so users do not routinely operate with administrative rights, reducing post-exploitation impact. Additional compensating controls include browser/network protections, endpoint exploit detection, and restricting legacy scripting or browser components where operationally feasible. The provided content does not include any Microsoft-issued workaround specific to this CVE beyond patching.

Remediation

Patch, then assume compromise.

Apply Microsoft's November 2022 security update for CVE-2022-41128 on affected Windows systems. The content indicates Microsoft patched the issue in its November 2022 Patch Tuesday release and identified active exploitation, so patching should be prioritized. Standard remediation also includes ensuring all supported Windows versions receive current cumulative updates and retiring unsupported systems that cannot receive the fix.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows 10 1507operating_system
Microsoft CorporationWindows 10 1607operating_system
Microsoft CorporationWindows 10 1809operating_system
Microsoft CorporationWindows 10 20h2operating_system
Microsoft CorporationWindows 10 21h1operating_system
Microsoft CorporationWindows 10 21h2operating_system
Microsoft CorporationWindows 10 22h2operating_system
Microsoft CorporationWindows 11 21h2operating_system
Microsoft CorporationWindows 11 22h2operating_system
Microsoft CorporationWindows 7operating_system
Microsoft CorporationWindows 8.1operating_system
Microsoft CorporationWindows Server 2008operating_system
Microsoft CorporationWindows Server 2008 R2operating_system
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Server 2012 R2operating_system
Microsoft CorporationWindows Server 2016operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
ahnlab asec blogNews
Jun 11, 2025
May 2025 APT Group Trends

A vulnerability referenced as an Internet Explorer flaw, reported here as exploited by TA-RedAnt during a spear-phishing campaign that delivered RokRAT via LNK files inside a compressed archive.

Read more
the hacker newsNews
Oct 16, 2024
North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware

A remote code execution vulnerability in Windows Scripting Languages exploited by ScarCruft.

Read more
the hacker newsNews
Nov 9, 2022
Install Latest Windows Update ASAP! Patches Issued for 6 Actively Exploited Zero-Days

A Windows scripting languages (JScript9) remote code execution vulnerability, reported as actively exploited and triggered via a specially crafted website.

Read more
tenable blogNews
Nov 8, 2022
Microsoft’s November 2022 Patch Tuesday Addresses 62 CVEs

A Windows JScript9 remote code execution vulnerability requiring a user to visit an attacker-controlled server.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2022-41128
NVD
nvd.nist.gov/vuln/detail/CVE-2022-41128
MITRE CWE · CWE-416
cwe.mitre.org
Patch
msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41128
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41128