Cyber Resilience

CVE-2022-0543

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 18 February 2022

Published
18 February 2022
Modified
10 November 2025
KEV Added
28 March 2022
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9440 100.0th percentile
Risk Priority 97 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-0543 is a critical-severity Missing Authorization (CWE-862) vulnerability in Debian Debian Linux. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-0543 is a Debian-specific Lua sandbox escape vulnerability in the redis persistent key-value database that stems from a packaging issue. The flaw permits an attacker to break out of the Lua environment and execute arbitrary code on the underlying system. It carries a CVSS 3.1 base score of 10.0 and is tracked under CWE-862.

An unauthenticated remote attacker can exploit the issue over the network without user interaction. Successful exploitation grants full control of the affected redis instance and the host operating system, allowing arbitrary code execution with impacts to confidentiality, integrity, and availability.

Debian addressed the vulnerability in DSA-5081 and the associated security announcement, with corresponding updates available through the package repositories. NetApp also published advisory NTAP-20220331-0004 describing affected products and recommended remediation steps. Public exploit code has been posted to Packet Storm, and the CVE maintains a high EPSS score with a recorded peak of 0.9744.

EU & UK References

Vulnerability details

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

redis
redis
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that close the Debian Lua sandbox escape in Redis.

prevent

Limits privileges of the Redis process so that a successful Lua sandbox escape yields only minimal system access.

prevent

Disables or restricts the Lua scripting interface when not required, eliminating the attack surface exploited by CVE-2022-0543.

References