Attacker Value
High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
4

CVE-2022-31199

Disclosure Date: November 08, 2022
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.

Add Assessment

1
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium
Technical Analysis

Sounds like Cisco was seeing small-ish-scale exploitation of this bug over the summer to gain initial access and deploy TrueBot payloads. I’d never heard of this product before now, but looking at its website, it looks to be security/IT management software with lots of enterprise customers—i.e., one of those things that’s probably under-scrutinized by researchers (and thus a nifty fun-time target for attackers). Not a lot of internet-facing attack surface area, which is good, but I have to wonder how many people even know there’s a serious vuln in this stuff, let alone how many have actually patched.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • netwrix

Products

  • auditor

Additional Info

Technical Analysis