CVE-2021-22502
Published: 08 February 2021
Summary
CVE-2021-22502 is a critical-severity OS Command Injection (CWE-78) vulnerability in Microfocus Operation Bridge Reporter. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2021-22502 is a remote code execution vulnerability affecting Micro Focus Operation Bridge Reporter (OBR) version 10.40. It is classified under CWE-78 and carries a CVSS 3.1 score of 9.8, reflecting network-accessible command injection that can be triggered without authentication or user interaction.
An unauthenticated attacker can send specially crafted requests over the network to the OBR server, resulting in arbitrary command execution. Successful exploitation grants full control over the affected server, with complete impact on confidentiality, integrity, and availability.
Public exploit code and technical details are available via Packet Storm, while vendor guidance and additional analysis appear in the Micro Focus knowledge document KM03775947 and Zero Day Initiative advisories ZDI-21-153 and ZDI-21-154.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-9648
Vulnerability details
Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the unauthenticated command injection (CWE-78) by validating all network-supplied input before it reaches the OS command interpreter in OBR 10.40.
Enforces access-control policy on the OBR server so that unauthenticated remote requests cannot reach the vulnerable code path that permits arbitrary command execution.
Restricts network traffic to the OBR server, reducing the attack surface for the unauthenticated RCE vector described in the CVE.