Threat Watch

Microsoft Patch Tuesday Can Disable Shadow Copy to SMB

Microsoft’s “Patch Tuesday” security update, released on June 14th, included a fix for CVE-2022-30154 that disables data backups using Volume Shadow Copy Service (VSS) for some deployments of Windows Server. CVE-2022-30154 is an elevation of privilege vulnerability in the Microsoft File Server Shadow Copy Service (RVSS). The issue only occurs when the data backup stores information on SMB shares on a file server. The error received will be E_ACCESSDENIED errors during VSS operations, and a FileShareShadowCopyAgent Event 1013 will be logged on the file server.

The complete list of affected Windows versions and the Windows updates that introduced the issue includes:

Windows Server 2022 (KB5014678)

Windows 10, version 20H2 (KB5014699)

Windows Server 2019 (KB5014692)

Windows Server 2016 (KB5014702)

Windows Server 2012 R2 (KB5014746)

Windows Server 2012 (KB5014747)


There are no known reports of CVE-2022-30154 being exploited in the wild. The priority for organizations, as always, is the confidentiality, integrity, and availability of data and services, which means in non-critical cases it is a higher priority to properly test an update prior to deployment. Organizations are recommended to apply updates across all Windows servers to properly secure systems against lateral movement and privilege escalation, and to avoid this bug as well. Proper testing and deployment of data backup services are essential to an organization in the modern threat environment – due to the complexity of modern computing systems and the proliferation of zero-day threats, incursions can and will occur. Good security practices, such as testing data backup and data restoration, limit the disruption of an incursion and improve the resiliency of an organization’s systems.