Attacker Value

High

(1 user assessed)

Exploitability

Moderate

(1 user assessed)

User Interaction

CVE-2022-31199

Disclosure Date: November 08, 2022 •

CVE-2022-31199 CVSS v3 Base Score: 9.8

Exploited in the Wild

Reported by gwillcox-r7 and 2 more...
View Source Details

Description

Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.

Add Assessment

ccondon-r7 (286)

December 13, 2022 4:40pm UTC (1 year ago)

Ratings

Attacker Value

High

Exploitability

Medium

Common in enterprise Gives privileged access

Technical Analysis

Sounds like Cisco was seeing small-ish-scale exploitation of this bug over the summer to gain initial access and deploy TrueBot payloads. I’d never heard of this product before now, but looking at its website, it looks to be security/IT management software with lots of enterprise customers—i.e., one of those things that’s probably under-scrutinized by researchers (and thus a nifty fun-time target for attackers). Not a lot of internet-facing attack surface area, which is good, but I have to wonder how many people even know there’s a serious vuln in this stuff, let alone how many have actually patched.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

netwrix

Products

auditor

Exploited in the Wild

Reported by:

gwillcox-r7 indicated sources as

Threat Feed (https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/)
News Article or Blog (https://securityaffairs.co/wordpress/139527/malware/truebot-infections-clop-ransomware-attacks.html)

Reported: December 12, 2022 5:52pm UTC (1 year ago)

ccondon-r7 indicated source as News Article or Blog (https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/)

Reported: December 13, 2022 4:40pm UTC (1 year ago)

mkienow-r7 indicated sources as

Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/07/11/cisa-adds-five-known-vulnerabilities-catalog)

Reported: July 11, 2023 7:17pm UTC (1 year ago)

References

Canonical

CVE-2022-31199 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31199)

Miscellaneous

https://bishopfox.com/blog/netwrix-auditor-advisory

Rapid7

High

CVE-2022-31199

High

Moderate

None

None

Network

CVE-2022-31199

Description